### Want to run this Docker container locally?
```bash
docker run -d --restart always --name flag-red72 -p 8080:8080 joshbeck2024/ctf-tomcat-mgr-war-upload-flag-red72
Lab Objective:
- In this lab, we’ll identify an Apache Tomcat server running a default configuration.
- We’ll craft a malicious
.war file.
.war stands for Web Archive.- When you drop a
.war file into Tomcat's webapps folder, Tomcat (the server) detects it and unzips it. This process is called "deployment."
- Once the application is deployed, Tomcat listens for incoming traffic. When a request arrives, Tomcat assigns a thread in the JVM to execute the application.
- Our
.war file will generate a reverse shell.
- We’ll use Metasploit to perform:
- reconnaissance
- exploitation
Why Apache Tomcat?
- Tomcat usually sits between the public internet and internal databases.
- It handles sensitive data.
- It manages user sessions.
- It has direct access to back-end systems.
- Default
Apache2 or Nginx servers, without interpreters installed, such as PHP, only serve up static content. There isn’t much server-side that can be hacked if all you are serving up are static .html files.
Apache Tomcat Web pages will be dynamic websites that support login and database queries, with a much larger attack surface than a simple static site.
Step 1: Detection
- Apache Tomcat is configured to run by default on port 8080.
- Any service running on port 8080, especially if exposed to the internet, is highly likely to be scanned to verify whether it is Apache Tomcat.
- The gold standard for automated detection is
nuclei
On Kali: Install nuclei
- It’s best to install
nuclei using go because you’ll get the latest version, but for our purposes, apt install is going to do the trick.
apt install nuclei
Download the nuclei template designed to detect Apache Tomcat.
- We’ll run
nuclei against a single target using a single template in this lab.
- It’s easy enough to provide a list of IP Addresses and a folder with many templates to execute in a single
nuclei run.
- Here is a nuclei guide written by the developers if you are interested in learning more.