Okay going off our initial scans we see we have 4 open ports. Let's get a feroxbuster going and see what we get.
Okay we see protected and then guidelines we can take a look at.
Looks like we get a login on /protected. Cool let's open dev tools and see what's going on.
We can see that it's doing a get request instead of a post and we also notice that it's running html basic auth! Great we should be able to get into this with Hydra pretty easily, but we don't have a username yet. So let's keep looking.
Alright, when we visit /guidelines we get bob! Let's hop over to our terminal and try to get a password for bob.
Great! We got a password! Now we can access /protected.
Bummer this is all we get. Well, let's try the other ports to see what we can gind.
Port 8009 seems to be running a service talking with port 1234. So let's start enumerating port 1234 first.
Right away we get a whole bunch of directories to check out. So while this runs let's start manually enumerating the website.
On the home page we get a basic tomcat page.
But if we try our ip:1234/manager we get prompted for credentials again. The same ones we used before work just fine to get us in. Now we are faced with the below manager panel.
Hmmm. looks like we can upload a .WAR file. Let's check to see if we can find a payload for this file type.
Sure enough PayLoadAllTheThings has one! Let's modify this and run it through msfvenom.
Now we have this
I did the second command in PayLoadAllTheThings, however I didn't need to.
strings reverse.war | grep jsp # in order to get the name of the file
So, let's set up our netcat listener first.
And let's now upload our .WAR file/payload to the server.
Now we should see /reverse in our applications on /manager
All we have to do is simply click on /reverse to launch the payload. You should get a blank screen
Let's jump back over and check our terminal
BOOM! We are in!
Let's see who we are?
WE ARE ROOT!
We can now simply cat out the root flag!