Reconnaisance
Port scanning using NMAP
└──╼ [★]$ nmap -sCV -p- -T4 10.129.16.168Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-02 13:44 CDTNmap scan report for 10.129.16.168Host is up (0.0022s latency).Not shown: 65532 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)| 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)|_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)80/tcp open http Apache httpd 2.4.41 ((Ubuntu))|_http-title: Mega Hosting|_http-server-header: Apache/2.4.41 (Ubuntu)8080/tcp open http Apache Tomcat|_http-title: Apache TomcatService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelSeems 3 Port opened, port 22, 80, and 8080. I tried to open Tomcat port 8080 first.
In News Menu, displayed informations about data breached.
LFI in news.php within file statement
Tomcat config location at /usr/share/tomcat9/etc/tomcat-users.xml.