Web
Nmap discovered a Web server on the target port 8080
The running service is Apache Tomcat 7.0.4
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sorcerer]
└─$ curl -I -X OPTIONS http://$IP:8080/
HTTP/1.1 200
Allow: GET, HEAD, POST, OPTIONS
Content-Length: 0
Date: Fri, 28 Mar 2025 19:20:06 GMT
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sorcerer]
└─$ curl -I http://$IP:8080/
HTTP/1.1 200
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 28 Mar 2025 19:20:08 GMT/Practice/Sorcerer/2-Enumeration/attachments/{701D338B-3E3E-41C9-9443-E1D25D0FAC30}.png)
Tomcat
The version is 7.0.4
Manager
/Practice/Sorcerer/2-Enumeration/attachments/{DDA97315-1971-4A79-8C80-F3C543017796}.png)
/Practice/Sorcerer/2-Enumeration/attachments/{EF08BF4C-861D-4F00-8112-F7DA445DC3D9}.png)
/Practice/Sorcerer/2-Enumeration/attachments/{08BB3CA9-2C8A-4A35-A6F7-6E9EFCD75C49}.png)
It would appear that the /manager endpoint is only accessible through localhost
/Practice/Sorcerer/2-Enumeration/attachments/{C46D2DF0-C23F-4E89-9564-33DC13BD3850}.png)
X-Forwarded-For: localhost trick doesn’t appear to work
Vulnerabilities
/Practice/Sorcerer/2-Enumeration/attachments/{5307AC82-7C6D-426E-A427-6ED79DEC536D}.png)
Looking into the vulnerabilities, the target instance suffers from several vulnerabilities.
None of the exploits worked.