Once we obtain the credentials for Tomcat Manager, the attack flow is pretty straightforward. We just need an application useful enough for us to upload it. Laudanum, included by default in Kali Linux, is a collection of web-shells for various languages and types of web servers, including PHP, ASP, ASP .Net, and JSP. What can be more useful to a penetration tester than a web-shell?

Tomcat has the ability to take a Java web application packaged in WAR format and can deploy it in the server. We used this functionality to upload the web-shell included in Laudanum and, after it was uploaded and deployed, we just browsed to it and, by executing system commands, discovered that we had root access in that system, as the server was not properly configured and had Tomcat running under the root user.