For this recipe, we come back to our OWASP BWA machine vm_1, and start from the point where we already know the credentials for the Tomcat server:

1. Browse to http://192.168.56.11:8080/manager/html and, when asked for username and password, use the ones obtained previously—root as username and owaspbwa as the password:

2. Once inside the manager, look for the section WAR file to deploy and click on the Browse button.
3. Kali includes a collection of web-shells in /usr/share/laudanum. Browse there and select the /usr/share/laudanum/jsp/cmd.war file:

4. After it has loaded, click Deploy:

5. Verify that you have a new application called cmd, as shown:

6. Let's try it; browse to http://192.168.56.11:8080/cmd/cmd.jsp.
7. If everything goes right, you should see a page with a textbox and a Send button. In the textbox, try a command and send it, for example ifconfig:

8. We can now execute commands, but which user and what privilege level do we have? Try the whoami command:

We can see Tomcat is running with root privileges in this server. That means that at this point, we have full control of it and can perform any operation, such as creating or removing users, installing software, configuring operating system options, and much more.