- Do a `find` for all files with `tomcat` in name ![[images/Pasted image 20260215182954.png]] - Navigate to `/etc/tomcat9` - there is a `.bak` file readable by `barry` ![[images/Pasted image 20260215183154.png]] - we have leaked creds for the `tomcatadm` user for the gui - we are in the `tomcat` gui ![[images/Pasted image 20260215183426.png]] # Exploit - create a payload for the to upload into the GUI ![[images/Pasted image 20260215183756.png]] - after uploading we see `/backup` in the table of apps ![[images/Pasted image 20260215183844.png]] - start a listener on Kali ![[images/Pasted image 20260215183930.png]] - browse to `blog.inlanefreight.local:8080/backup` - hit on our listener! > there's flag4 ![[images/Pasted image 20260215184017.png]] - this user has `sudo` privs over `/usr/bin/busctl` ![[images/Pasted image 20260215184136.png]]