Make sure you’ve identified ALL of the vulnerable applications on the box…one of them will give you what you want…don’t just focus on the one thing
Hi, im not sure what is the direction of flag4. As I get the account “tomcatadm” with password but I cant access any manager page for that website no matter “/manager” or “/host-manager” all are not found.
I also success access the word press with admin account and wpscan for many vulnerability and none of them seems helpful. Please give me a direction thanks!
You found the buried admin credentials? There are additional ways to log into tomcat, not just the web-form…
Whats the other way you mentioned? Do you mean something like GET POST request using curl?
I am on flag5. I moved to third user with a shell from external service where it is not upgraded. So, errors reported by shell are missing. Exist any way to fix this. I guess I am inside a restricted “universe” due my filesystem is different than other users. Any hint is welcome! thanks
There are some shell upgrades to get a usable bash shell, have a look at different methods…
Have you had a look at MSF for instance?
Done. Thank you
I am not familiar with the MSF tool.
How can I get the access on the tomcat user with the MSF tool?
In the hint is written “Look at all external services running on the box.”, in my opinion is this the webserver on port 8080. I get the username and password in the /etc/tomcat9/tomcat-users.xml. So it is possible to log in with these. But there is anything else what I can do, to get the password of the tomcat user.
I could need help as well. I found flag 4 and upgraded my Shell to a fully interactive shell. I also checked commands I can execute with sudo without password and tried to exploit the command. Is this the right way? I did not really find useful hints from the internet.