In this article we will focus on the Apache Tomcat Web server and how we can discover the administrator’s credentials in order to gain access to the remote system.So we are performing our internal penetration testing and we have discovered the Apache Tomcat running on a remote system on port 8180.
Our next step will be to open metasploit framework and to search for specific modules about the Apache Tomcat by using the command search Tomcat.
We have found an auxiliary scanner which will be the tool for our attempt to login to the Tomcat Application Manager.So we are selecting the scanner by using the command use auxiliary/scanner/http/tomcat_mgr_login and then we are configuring it properly as it appears on the next screenshot.
We don’t have to give to give a path for a password list in this module because it is already configured to scan the password from a specific list of the metasploit wordlists.However if we have an appropriate wordlist,bigger than the existing one we can select our own.So we run the scanner and we are waiting to see if it will discover any valid credentials.
The scanner have discovered valid credentials under the username tomcat and password tomcat.Now it is time to select the appropriate exploit in order to gain access to the remote target through the Apache Tomcat service.The metasploit framework has a specific module which can be used to execute a payload on Apache Tomcat servers that are running the manager application.
We can see from the above image that there is an option for username and an option for password to authenticate with the application in order to deliver the exploit.We already have valid credentials for this server from our previous scan so we will use them.The next image is showing how we have configured the exploit.
We will use the port 8180 instead of 80 because this is the port that the Apache Tomcat is running.Also as you can see it is important to set any valid credentials that you have discovered.
As you can the exploit is uploading the payload as a .war archive and then it tries to execute the .jsp application using a PUT request.The exploit work and now we have a shell on the remote target.As an alternative option for the payload we could have used a meterpreter payload in order to execute more commands on the target instead of a simple shell.
Alternatively if we just want to get access to the web server we could use the valid credentials that we already know in order to login from the admin panel to Apache through our browser.The next two images are showing that:
In this article we demonstrate of how to use some specific metasploit modules of Apache Tomcat web server in order to gain a shell to the remote system.Of course the key factor here was that we have discovered a valid account.In real penetration testings it would much more difficult to identify such weak credentials as here.However the methodology is the same and with a good wordlist you can have the job done.