# Basic Tomcat Info {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} ### Avoid to run with root In order to not run Tomcat with root a very common configuration is to set an Apache server in port 80/443 and, if the requested path matches a regexp, the request is sent to Tomcat running on a different port. ### Default Structure ``` β”œβ”€β”€ bin β”œβ”€β”€ conf β”‚ β”œβ”€β”€ catalina.policy β”‚ β”œβ”€β”€ catalina.properties β”‚ β”œβ”€β”€ context.xml β”‚ β”œβ”€β”€ tomcat-users.xml β”‚ β”œβ”€β”€ tomcat-users.xsd β”‚ └── web.xml β”œβ”€β”€ lib β”œβ”€β”€ logs β”œβ”€β”€ temp β”œβ”€β”€ webapps β”‚ β”œβ”€β”€ manager β”‚ β”‚ β”œβ”€β”€ images β”‚ β”‚ β”œβ”€β”€ META-INF β”‚ β”‚ └── WEB-INF | | └── web.xml β”‚ └── ROOT β”‚ └── WEB-INF └── work └── Catalina └── localhost ``` * The `bin` folder stores scripts and binaries needed to start and run a Tomcat server. * The `conf` folder stores various configuration files used by Tomcat. * The `tomcat-users.xml` file stores user credentials and their assigned roles. * The `lib` folder holds the various JAR files needed for the correct functioning of Tomcat. * The `logs` and `temp` folders store temporary log files. * The `webapps` folder is the default webroot of Tomcat and hosts all the applications. The `work` folder acts as a cache and is used to store data during runtime. Each folder inside `webapps` is expected to have the following structure. ``` webapps/customapp β”œβ”€β”€ images β”œβ”€β”€ index.jsp β”œβ”€β”€ META-INF β”‚ └── context.xml β”œβ”€β”€ status.xsd └── WEB-INF β”œβ”€β”€ jsp | └── admin.jsp └── web.xml └── lib | └── jdbc_drivers.jar └── classes └── AdminServlet.class ``` The most important file among these is `WEB-INF/web.xml`, which is known as the deployment descriptor. This file stores **information about the routes** used by the application and the classes handling these routes.\ All compiled classes used by the application should be stored in the `WEB-INF/classes` folder. These classes might contain important business logic as well as sensitive information. Any vulnerability in these files can lead to total compromise of the website. The `lib` folder stores the libraries needed by that particular application. The `jsp` folder stores [Jakarta Server Pages (JSP)](https://en.wikipedia.org/wiki/Jakarta_Server_Pages), formerly known as `JavaServer Pages`, which can be compared to PHP files on an Apache server. Here’s an example **web.xml** file. ```xml AdminServlet com.inlanefreight.api.AdminServlet AdminServlet /admin ``` The `web.xml` configuration above defines a **new servlet named `AdminServlet`** that is mapped to the **class `com.inlanefreight.api.AdminServlet`**. Java uses the dot notation to create package names, meaning the path on disk for the class defined above would be: * **`classes/com/inlanefreight/api/AdminServlet.class`** Next, a new servlet mapping is created to **map requests to `/admin` with `AdminServlet`**. This configuration will send any request received for **`/admin` to the `AdminServlet.class`** class for processing. The **`web.xml`** descriptor holds a lot of **sensitive information** and is an important file to check when leveraging a **Local File Inclusion (LFI) vulnerability**. ### tomcat-users The **`tomcat-users.xml`** file is used to **allow** or disallow access to the **`/manager` and `host-manager` admin pages**. ```xml !-- user manager can access only manager section --> ``` The file shows us what each of the roles `manager-gui`, `manager-script`, `manager-jmx`, and `manager-status` provide access to. In this example, we can see that a user `tomcat` with the password `tomcat` has the `manager-gui` role, and a second weak password `admin` is set for the user account `admin` ## References * {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}