Linux Local Privilege Escalation - Skills Assessment

Hello,
I stuck at flag4. So, to be honest I dont havy any ideas how should I proceed. I saw that tomcat folder has “S” priv but no idea how should I proceed. SHould I look for some specific logs?

EDIT: I found a user: tomcatadm with its password. But it is not the actual user tomcat for the flag4. What I am missing? WHat is this user ?

I don’t know if this is still relevant, but you should think where you could else use the found credentials.

With credentials and login admin page, u can deploy reverse shell via upload file and trigger it. You can got flag 4 and flag 5 is not hard. GTFOBins help you escape privilege

Trying to get to flag4. I uploaded a WAR webshell to Tomcat via manager panel. It will appear in Application endpoints list, but will not execute. It just gives me a 404 error, even though I’ve completely removed all the authorization logic from the backdoor (IP address check). I tried all path variations like: /cmd, /cmd/cmd.jsp?cmd=, but no luck. I used a webshell from Laudanum directory. Am I doing something wrong? Any other ways to get to tomcat’s user shell?

Solved it. Just needed to specify ‘warfiles’ directory inside the archive, that was created by the script, like: /cmd/warfiles/cmd.jsp?cmd=id

Hy everyone,

I am at flag5. I have a webshell and try to get a meterpreter revshell using the multi/http/tomcat_mgr_upload moudle,

I set username,password, RPORTS, LPORT=8080 but when I start the exploit it gives back this message:

Does somebody know why the server does not return a fingerprint even though it is clearly running under 8080?

Btw: does somebody know how to execute msfvenom war payloads on the webserver. Do I just need to click on it? Because I only get a error message and no callback to my multi/handler.

2 Likes

I strucked in flag4,I need help. Thx

there is a way to do this box without going the route of tomcat, if you have a precompiled binary

1 Like

Yep you can eat sandwich as barry