In order to not run Tomcat with root a very common configuration is to set an Apache server in port 80/443 and, if the requested path matches a regexp, the request is sent to Tomcat running on a different port.
In some versions prior to Tomcat6 you could enumerate users:
msf> use auxiliary/scanner/http/tomcat_enum
The most interesting path of Tomcat is /manager/html, inside that path you can upload and deploy war files (execute code). But this path is protected by basic HTTP auth, the most common credentials are:
You could test these and more using:
msf> use auxiliary/scanner/http/tomcat_mgr_login
Another interesting Tomcat path is /manager/status, where you can see the version of the OS and Tomcat. This is useful to find vulns affecting the version of Tomcat when you cannot access /manager/html.
A well-known vulnerability to access the application manager __ is mod_jk in CVE-2007-1860, that allows Double URL encode path traversal.
In order to access to the management web of the Tomcat go to: pathTomcat/%252E%252E/manager/html
Take into account that to upload the webshell you might need to use the double urlencode trick and send also a cookie and/or a SSRF token.
To access to backdoor you might also need to use the double urlencode trick.
The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection (from here).
Finally, if you have access to the Tomcat Web Application Manager, you can upload and deploy a .war file (execute code).
You will only be able to deploy a WAR if you have enough privileges (roles: admin, manager and manager-script). Those details can be find under tomcat-users.xml usually defined in /usr/share/tomcat9/etc/tomcat-users.xml (it vary between versions) (see POST section).
# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed