Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.
The slides were published here and the video from hashdays is here, no video for BSides ATL.
I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.
Post  JBoss/Tomcat server-status
There have been some posts/exploits/modules on hitting up unprotected jboss and tomcat servers.
Sometimes even though the deployer functionality is password protected the sever-status may not be.
This can be useful to find:
- Lists of applications
- Recent URL's accessed
- sometimes with sessionids
- Find hidden services/apps
- Enabled servlets
- owned stuff :-)
Finding 0wned stuff is always fun let's see
Looking at the list of applications list one that doesnt look normal (zecmd)
Following that down leads us to zecmd.jsp that is a jsp shell
If you are interested in zecmd.jsp and jboss worm it comes from --> this is a good write up as well as this OWASP preso https://www.owasp.org/images/a/a9/OWASP3011_Luca.pdf