nmap
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache Tomcat/7.0.88
|_http-favicon: Apache Tomcat
Tomcat Web Application Manager
- use default creds
tomcat:s3cret
- Here we can able to upload war file, using this we can able to get remote code execution
- Refer This blog
Initial shell
- open msfconsole
use multi/http/tomcat_mgr_upload
- Set these options and run it
- Cool we got our shell
flags
- Here we can get both user & root flags