Nmap Output:

 

 

Let's view the 8080 port.

 

 

"/manager" draws our attention in the dirb output. When I view the page:

 

 

When we enter the username and password incorrectly, the 401 Unauthorized page says username and password.

 

tomcat:s3cret

 

We can see that we can load a "war" file.

 

 

 

or

 

 

 

done

 

 

After browsing through the files for a while while looking for a vulnerability to privilege escalation

 

 

then

 

 

If we wait a while,