code16: Sleepy

I woke up again at 3 AM so it was... a good time to finish one of the CTF(s) I started few weeks ago - this one is called Sleepy ;) . Machine you can find online thanks to VulnHub Team. Below few details from the journey...
When machine is ready, we should be somewhere here:

When I saw JDWP enabled I decided to switch to Metasploit and use one of the exploits available there:

That was interesting. :)

I decided to read few more pages about JDWP[1, 2, 3, 4]. Now it was time to verify found hints. :)

Checking prdelka's paper:

So far so good. More docs to read:

...and more...

Ok, we will get back to that later...

Let's try to check the next found open port - 8009/tcp. Some hints you will find on Wiki:

Ok, let's prepare our mod_jk (basing on this article[5] - thanks!):

Our configs:

Restarting apache2 and checking our 'settings':

Looks like now we can access /manager/.

After a while you'll see that bruteforcing manager's password is pointless. So I was wondering if there is any other way to grab tomcat's password list... Let's get back to our JDWP port.

According to the links mentioned before ([1, 2, 3, 4, [5]) we'll get the list of available threads:

Let's interrupt:

Now (after I was looking for a tomcat-users.xml file location) I modified payload available here
to read the content of the file:

...and again... ;]

I was wondering if I need to copy user-file via ftp? Checking:

Maybe, but I wasn't even able to list directory content when I was connected via FTP ;S

So no luck, need to try something else...

Maybe some grep? ;)

"Great, password!" but can you see this nice string at the beginning? ("<-- " ;))

So, yeah...

At this stage I stuck for a while. But then I decided to read the file backwards (line by line):

Good, so now we have a 'tomcat' password and we can access Tomcat's /manager/... ;)

My next step was: to generate WAR shell using venome.sh and deploy it to "remote" (on our 127.0.0.1) host: