Enumeration
Gobuster
Run a quick gobuster scan to see what other dirctories are available.
gobuster dir -u http:[Target IP]:8080 -w [Path to wordlist]

It looks like we have quite a few options here to explore. The most interesting to me are the /host-manager and /manager directories.
/aux (Status: 200) [Size: 0]
/com2 (Status: 200) [Size: 0]
/com1 (Status: 200) [Size: 0]
/com3 (Status: 200) [Size: 0]
/con (Status: 200) [Size: 0]
/docs (Status: 302) [Size: 0] [--> /docs/]
/examples (Status: 302) [Size: 0] [--> /examples/]
/favicon.ico (Status: 200) [Size: 21630]
/host-manager (Status: 302) [Size: 0] [--> /host-manager/]
/lpt2 (Status: 200) [Size: 0]
/lpt1 (Status: 200) [Size: 0]
/manager (Status: 302) [Size: 0] [--> /manager/]
/nul (Status: 200) [Size: 0]
/prn (Status: 200) [Size: 0]
/aux

Nothing interesting in source code.
<html><head><title>Apache Tomcat/7.0.88 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - /aux</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>/aux</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.88</h3></body></html>
/com1, /com2, /com3, /con




Nothing in source code either.
/docs

Lot's of good information here about the settings and set up of tomcat including default security settings.
Nothing in the source code.
/examples

This could be really good. This could be a means to uploading a reverse shell to the /examples directory and accessing it in here.
/lpt1, /lpt2, nul, prn
Nothing to note on any of these.
/host-manager
Looks like we get a login prompt. Let's see if we can find some default credentials for this since the rest of the web server isn't set up yet. We'll google to see if we come up with anything.
I can also look at brute forcing this login as it is doesn't stop me from multiple attempts.
I found quite a few answers on Google but the credentials
admin:admin
gave me some good information. I also found the following credentials that might work:
admin:admin
tomcat:tomcat
admin:[Nothing]
admin:s3cret
tomcat:s3cret
admin:tomcat

This is really good information and I'll check out the
conf/tomcat-users.xml
Unfortunately, it looks like it doesn't exist.
I came back to this and tried the credentials
tomcat:s3cret
and was able to gain access to the page.These credentials don't work for
/host-manager


Let's explore the place to possible upload a WAR file:
/manager
Let's check out this page now.
It gives me the same sign-in page as
/host-manager
and the credentialsadmin:admin
give me access. Unfortunately, this sends me to the same page as above,/manager/html
.Running a gobuster scan on this directory gave me a couple of areas to check out.
gobuster dir -u http:[Target IP]:8080/manager -w [Path to wordlist]

Only status can be accessed.
/manager/status

Now we have a lot of good information.
Tomcat Version --> Apache Tomcat/7.0.88
JVM Version --> 1.8.0_171-b11
JVM Vendor --> Oracle Corporation
OS Name --> Windows Server 2012 R2
OS Version --> 6.3
OS Architecture --> amd64
Hostname --> JERRY
It also shows a port of 8009. However, when I try visiting that page it hangs up and doesn't show anything. Could potentially be something listening on that end.
I found this possible exploit with hacktricks that I might be able to use.
Last updated