Black Box Pentest 1

Do we have to become root using expoit in Tomcat?

I have the same question…

I don’t think so because they have mentioned in the goals to only have the flags. Where we get it there we should stop and then move on to next machine.

I’ve never done the black boxex, but from my experience I could suggest to try to gain root in (almost) every compromised host.

thanks for the awesome information.

I’m finding them extremely difficult (even thou i doc my entire journey thru PTS) do you think it’s a sign i won’t pass the exam ?
tried solving few TryHackMe labs they are extremely easy but this black box 1 and 2 is extremely difficult i just would never guess to look for dir x/y/z to find flag or maybe the DB creds is leaked thru some headers …etc

That’s perfectly natural. I’ve done all black boxes 4 times prior to attempting my exam, and I had to look up hints and/or full solutions for each attempt.
[EDIT] Also, it’s always a good practice to inspect headers on web apps, as well as checking the source code.
If I could change one thing about this approach, in hindsight, I’d probably spend more time researching on my own before resorting to looking up the answers right away.

Good luck!