As usual, we can start with an nmap scan :
Going to tcp:8080 we see a tomcat server in which we are able to log in using the default credentials “tomcat:s3cret”. We can easily find default/common credentials on the internet. This time, in particular, I got them from here
As we now have full control over the server we can generate a .war payload using msfvenom, deploy that and get a session:
Once the payload is deployed we have to start a multi/handler listener on our machine to catch the session, then go to 10.10.10.95:8080/deploy and get our meterpreter session running as SYSTEM!
And that’s it! We got root!