Tutorial

Apache Tomcat Penetration Testing Lab Setup

In this article, we will learn the process of installing an Apache Tomcat on any Linux Machine. We will also learn how to gain control over our victim’s PC through exploiting Apache Tomcat.

Requirements:

Server/Victim Machine: Ubuntu 18.04

Pentesting Machine: Kali Linux

Table of Content

Introduction of Apache Tomcat

Installation of Apache Tomcat

  • Install Apache
  • Install Java JDK
  • Download tomcat manager
  • Tomcat manager configuration
  • Create a tomcat user and group
  • Assign permission
  • Create a systemd Service File
  • Update firewall to allow tomcat
  • Configure Tomcat Web Management Interface
  • Access the Web Interface

Exploiting Apache Tomcat

Introduction of Apache Tomcat

Apache Tomcat which is also known as Tomcat Server is a Java-Based HTTP Web Server. It implements Java EE Specifications like Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket. It is an open-source software made by developers at Apache Software Foundation. Apache has been released as early as 1999. That makes Apache Tomcat 20 years old at the time of publication of this article.

Apache Tomcat in its simplest configuration runs in a single operating system process. This process is commonly known as the Java virtual machine (JVM). This allows Apache Tomcat platform-independent as well as secure as compared to others.

Installation of Apache Tomcat

Let’s start with apache tomcat installation but before that, you should go with below command.

Now, Apache Tomcat needs Java to be installed so that the Java Application code can be executed on the server. To make this possible, installed the Java Development Kit.

Create User and Group

To run the tomcat as an unprivileged user, create a group and a new user named as tomcat. We have created the user in /opt because we are going to install tomcat in that directory. We don’t need the tomcat user to use the shell so we will be using the -s parameter to set /bin/false shell. By doing this authentication will get disabled for the tomcat user.

Download Tomcat Manager

Now, we are going to download the apache tomcat Package from here.  After downloading it’s time to extract the package it inside /opt directory and move forward.

Assign Permissions

Now we are going to use the chgrp command to give the ownership of the tomcat directory to the tomcat group.

To allow the tomcat group user to perform the read and execute operation change permission for /conf file as given below.

Also give ownership to the tomcat group user for directories like webapp/, work/, temp/ and logs/.

We want Apache Tomcat to be run as a service and for that, we will have to set up a system service. To do this, we are going to require the location of the Java Installation. For this, we will be running the command given below.

Create an SYSTEMD Service File

To create a system service file, open the tomcat. service file in the /etc/systemd/system directory using nano editor.

Now append the following content and modify the JAVA_HOME as shown below 

Now Save this file. This will make tomcat a service.

Reload the systemd daemon to register our newly created tomcat service. If everything is done correctly, we will able to run, stop and see the status of the Apache Tomcat as a service.

Update Firewall to Allow Tomcat

It’s time to allow the tomcat via our firewall Since Ubuntu has the ufw installed and set up by default. Apache Tomcat generally uses the post 8080 to receive requests from users.

Execute below command to start tomcat starts automatically whenever the machine boots up.

Configure Tomcat Web Management Interface

At this stage, if you will browse the Server IP with the port 8080, you will be greeted with an Apache Tomcat Page. But if you will click on the links to the Manager App, you will get Access Denied. This means that you haven’t yet set up the Tomcat Web Manager Interface. So, let’s do that and complete the Apache Tomcat Setup.

Open the file using the nano editor and make the following changes as shown in the image given below.

You can change the username and password as per your choice. We will save and close the editor after making appropriate changes.

By default, Apache Tomcat restricts access to the Manager and Host Manager apps to connections coming from the server. As we are installing Tomcat for a remote machine, we will probably want to alter this restriction. To change the restrictions on these, we will be editing these context.xml files.

Inside, comment out the IP address restriction to allow connections from anywhere. Alternatively, if you would like to allow access only to connections coming from your own IP address.

We do the same thing with the host-manager file. To allow access to Host Manager too.

saved the changes restart the tomcat service.

Access the Web Interface

We got to the interface by entering your server’s domain name or IP address followed on port 8080 in our browser. Now we will try to see if the Manager and Host Manager interfaces are working. Click the Buttons highlighted in the image.

The Login authentication page will pop-up as expected, we enter the credentials that we created earlier.

Upon verification of the credentials, Apache Tomcat lands us to this Tomcat Virtual Host Manager Interface. From this page, you can add virtual hosts to serve your applications. This concludes our Apache Tomcat Setup.

Exploiting Apache Tomcat

Now that we have successfully installed the Apache Tomcat Framework, Let’s do its Penetration Testing. We are going to use Metasploit for exploiting the Apache Tomcat.

This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a JSP application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

As a result, you can observe that we have the meterpreter session of the target machine.

Learn multiple ways to exploit tomcat manager from here.

Author: Ahmad is a Technical Writer, Researcher and Penetration Tester. Contact here

You Might Also Like

Leave a Reply