From nmap, we can see that it runs http on port 8080.

Local Picture

Looks like it runs Apache Tomcat/7.0.88

Local Picture

When we access Host Manager, it pops up a window for us to enter username and password.

Local Picture

If we enter the wrong credential, we will be directed to 401 Unauthorized. However, it shows the default credential username: tomcat, password: s3cret on the web page.

Local Picture

We login to Host Manager with this default credential successfully. and we can upload a WAR file in this application.

Local Picture

We can create a reverse shell WAR payload with msfvenom. Upload the WAR file to the application, and we can get a reverse shell with user nt authority\system.

Local Picture

Local Picture

Local Picture