For this recipe, we come back to our OWASP BWA machine vm_1, and start from the point where we already know the credentials for the Tomcat server:
- Browse to http://192.168.56.11:8080/manager/html and, when asked for username and password, use the ones obtained previously—root as username and owaspbwa as the password:

- Once inside the manager, look for the section WAR file to deploy and click on the Browse button.
- Kali includes a collection of web-shells in /usr/share/laudanum. Browse there and select the /usr/share/laudanum/jsp/cmd.war file:
- After it has loaded, click Deploy:
- Verify that you have a new application ...