# Basic Tomcat Info
βοΈ HackTricks Cloud βοΈ -π¦ Twitter π¦ - ποΈ Twitch ποΈ - π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
### Avoid to run with root
In order to not run Tomcat with root a very common configuration is to set an Apache server in port 80/443 and, if the requested path matches a regexp, the request is sent to Tomcat running on a different port.
### Default Structure
```
βββ bin
βββ conf
β βββ catalina.policy
β βββ catalina.properties
β βββ context.xml
β βββ tomcat-users.xml
β βββ tomcat-users.xsd
β βββ web.xml
βββ lib
βββ logs
βββ temp
βββ webapps
β βββ manager
β β βββ images
β β βββ META-INF
β β βββ WEB-INF
| | βββ web.xml
β βββ ROOT
β βββ WEB-INF
βββ work
βββ Catalina
βββ localhost
```
* The `bin` folder stores scripts and binaries needed to start and run a Tomcat server.
* The `conf` folder stores various configuration files used by Tomcat.
* The `tomcat-users.xml` file stores user credentials and their assigned roles.
* The `lib` folder holds the various JAR files needed for the correct functioning of Tomcat.
* The `logs` and `temp` folders store temporary log files.
* The `webapps` folder is the default webroot of Tomcat and hosts all the applications. The `work` folder acts as a cache and is used to store data during runtime.
Each folder inside `webapps` is expected to have the following structure.
```
webapps/customapp
βββ images
βββ index.jsp
βββ META-INF
β βββ context.xml
βββ status.xsd
βββ WEB-INF
βββ jsp
| βββ admin.jsp
βββ web.xml
βββ lib
| βββ jdbc_drivers.jar
βββ classes
βββ AdminServlet.class
```
The most important file among these is `WEB-INF/web.xml`, which is known as the deployment descriptor. This file stores **information about the routes** used by the application and the classes handling these routes.\
All compiled classes used by the application should be stored in the `WEB-INF/classes` folder. These classes might contain important business logic as well as sensitive information. Any vulnerability in these files can lead to total compromise of the website. The `lib` folder stores the libraries needed by that particular application. The `jsp` folder stores [Jakarta Server Pages (JSP)](https://en.wikipedia.org/wiki/Jakarta\_Server\_Pages), formerly known as `JavaServer Pages`, which can be compared to PHP files on an Apache server.
Hereβs an example **web.xml** file.
```xml
AdminServlet
com.inlanefreight.api.AdminServlet
AdminServlet
/admin
```
The `web.xml` configuration above defines a **new servlet named `AdminServlet`** that is mapped to the **class `com.inlanefreight.api.AdminServlet`**. Java uses the dot notation to create package names, meaning the path on disk for the class defined above would be:
* **`classes/com/inlanefreight/api/AdminServlet.class`**
Next, a new servlet mapping is created to **map requests to `/admin` with `AdminServlet`**. This configuration will send any request received for **`/admin` to the `AdminServlet.class`** class for processing. The **`web.xml`** descriptor holds a lot of **sensitive information** and is an important file to check when leveraging a **Local File Inclusion (LFI) vulnerability**.
### tomcat-users
The **`tomcat-users.xml`** file is used to **allow** or disallow access to the **`/manager` and `host-manager` admin pages**.
```xml
!-- user manager can access only manager section -->
```
The file shows us what each of the roles `manager-gui`, `manager-script`, `manager-jmx`, and `manager-status` provide access to. In this example, we can see that a user `tomcat` with the password `tomcat` has the `manager-gui` role, and a second weak password `admin` is set for the user account `admin`
## References
* [https://academy.hackthebox.com/module/113/section/1090](https://academy.hackthebox.com/module/113/section/1090)
βοΈ HackTricks Cloud βοΈ -π¦ Twitter π¦ - ποΈ Twitch ποΈ - π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.