First, use nmap to scan the port, and see that only port 8080 is opened. It
is the default interface
dirmap given by Tomcat to scan the directory.
Go to the manager management page to see, he needs authentication,
he prompts the password to be s3cret, I tried this, it saves trouble, I don't need to blast it myself. It's easy to
get into the background of tomcat. There are many getshell methods, and it 's written here . There are many, here I choose to use msf directly, which is more convenient
use exploit/multi/http/tomcat_mgr_upload
Get through directly
to find the flag on Administrator's desktop
cd C:\Users\Administrator\Desktop\flags
type "2 for the price of 1.txt"
win