Vulnerability: Apache will URL decode once, then send it to Tomcat to be decoded again. Therefore can use /%252e%252e/ to perform directory traverse.
Objective: to access the interface at http://webapp/manager/html or http://webapp/../manager/html or http://webapp/%252e%252e/manager/html. Use Burp or might get normalized by browser. You need to make sure you are on Tomcat subdiredctory first! (Eg: Check error 404 page to confirm is it hosted by Apache or Tomcat)
Default credentials for Tomcat: admin, <blank>. Intercept response immediately to get the cookie required for anti CSRF. Put it in future upload requests using Cookie: xxx=yyy
If you cannot get authorization to work, use the following header: Authorization: Basic base64encodedusername:password
Remember to use full path when uploading file (http://webapp/%252e%252e/%252e%252e/manager/html/uploads/...). If not it might not work. After upload the shell can use Burp Repeater so that no need to type again.