In order to not run Tomcat with root a very common configuration is to set an Apache server in port 80/443 and, if the path requested matches a regexp, the request is send to the Tomcat running in other port.
## Username Enum
In some versions prior to Tomcat6 you could enumerate users:
The most interesting path of Tomcat is _**/manager/html**_, inside that **path you can upload and deploy war files** \(execute code\). But this path is protected by basic TTP auth, the most common credentials are:
Another **interesting Tomcat** path is _**/manager/status**_, where you can see the version of the OS and Tomcat. This is useful to find vulns affecting the version of Tomcat when you cannot access _**/manager/html.**_
The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting \(XSS\) injection \(from [here](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)\).
Finally, if you have access to the Tomcat Web Application Manager, you can **upload and deploy a .war file \(execute code\)**.
### Limitations
You will only be able to deploy a WAR if you have **enough privileges** \(roles: **admin**, **manager** and **manager-script**\). Those details can be find under _tomcat-users.xml_ usually defined in `/usr/share/tomcat9/etc/tomcat-users.xml` \(it vary between versions\) \(see [POST ](tomcat.md#post)section\).
```bash
# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed
You could also install this \(allows upload, download and command execution\): [http://vonloesch.de/filebrowser.html](http://vonloesch.de/filebrowser.html)
## POST
Name of tomcat credentials file is _tomcat-users.xml_