Tags: web 


Running dirb on the provided list reveals jolokia JMX is public
After reading how this works:
going to https://not-found.ctf.bsidestlv.com/jolokia/list - reveals all mbeans are available for usage.
Searching there reveals users are stored in memory mbean:

There is a user with a username=BSidesTLV2022 and a role: k1aNoYouCantBruteIt} which looks like part of the flag.
Ok another part is missing. lets try to read the user password by a post request which reads from this mbean:

"type" : "read",
"mbean" : "Users:database=UserDatabase,type=User,username=\"BSidesTLV2022\"",
"operation": "findUser",
"arguments": ["BSidesTLV2022"],
"attribute" : "password"

Reveals the second missing part: