nmap -sV -sC -Pn -p 1-65535 -T5 10.10.10.95
PORT STATE SERVICE VERSION
The machine expose only the 8080 port which is the default port for Tomcat server.
Trying to login in the application manager we are asked for credentials and if the authentication fails we get a 403 error page.
In this page though we can see that the example for the credentials configurations is not the standard one: we can use
tomcat as user and
s3cret as password.
Now that we had the credentials we can use metasploit to upload a JSP with our meterpreter session using the exploit
exploit/multi/http/tomcat_mgr_upload with the corrects informations:
With the session on we were unable to find the user flag in the default path so we asked for a machine reset.
On the new machine we saw that user and root flag were together in a file in
C:\Users\Administrator\Desktop\flags. And this is the default configuration so no need to privesc or nothing…lame!