We strart with nmap:
nmap -Pn -sC -sV -oA nmap/initial 10.10.10.95
We see port 8080 is open and is a web server
There is a manager application on this tomcat server we can log into:
I failed login attempts and blacklisted our ip:
womp womp.
We can see that there is an RCE exploit for this version of Tomcat:
https://www.exploit-db.com/exploits/42953
We are unable to login through the browser for some reason, but there is a metasploit module for this exploit:
exploit(multi/http/tomcat_mgr_upload
We verify we have the correct credentials using another msf module:
auxiliary(scanner/http/tomcat_mgr_login
We run the metasploit module:
Then we get the flags:
