A couple of methods you can use to gain a shell through a Tomcat server when you find weak credentials. Method 1). Uploading a .war (jsp) command shell direct in the web manager. Method 2). using Metasploit to gain a reverse shell. Tweet