Thompson TryHackMe (THM)
Hello guys back again with another write up. This time we are gonna do Thompson from TryHackMe a good for beginners. Essentially you exploit a tomcat server that is using default credential upload a malicious war file get a reverse shell. Then for privilege escalation there’s a file owned by root but writable by the user tomcat (me). I’ll show two ways of exploiting it to get root shell.
Before i did enumeration of the box i saw the logo which was a great hint on how to exploit the box since it is the tomcat logo.Let’s jump right in
I started with a port scan using nmap and three ports were open ssh, apache Jserv and Apache Tomcat
I decided to enumerate tomcat web server first. Opening the webserver using a browser we get the default tomcat webpage
Clicked on Manager App and it required credentials
Tried to login with default admin:admin but got authentication failure. I pressed the cancel button and we get another page that exposes the credential for the server.
username="tomcat" password="s3cret"Using those credentials i was able to log into the server
Things seemed pretty straight forward from here we have to upload a malicious war file. I generated the war file using msfvenom (a metasploit backdoor generator)
Set up a listener using netcat (you can use metasploit ), uploaded the war file to the server,deployed in and got a shell in our box
We have a shell !!!!!! sweet. Now I upgraded my shell to a fully interactive shell.
Now we can get the user flag submit it and increase our rank
Of course i can’t show you the flag. Now it’s time for privilege escalation. Am sure by now you know the drill, uploading a script that checks for privilege escalation vectors and running it.The script that i normally use is linpeas. Really awesome script that outputs the results with colors
In home there’s a file called id.sh it is not own by us but we can write to it. Looking at the contents of the bash script
It’s a simple bash script that executes the id command and the output it saves in a text file called test. Let’s take a look at the text file and see the output
Looking at the result it looks like it’s executing command as root.Time for privilege escalation
1st Method (Getting root flag using cat command)
I edited id.sh and replaced with the following command
echo “cat /root/root.txt > test.txt” > id.sh
What it essentially does it cat the root flag and the output stored in a file called test.txt
After some time i ‘cat’ the contents of the test.txt and boom we have the root flag
2nd method (Getting root flag by add a bash reverse shell command)
Editing the bash script to add a bash reverse shell command that connects back to our machine as root
Set up a listener on my local box using netcat and in about 30 second got a call back to my machine as root!!!!!!!! Boom we are root. Now we get the root flag
Am safe to assume that the system runs a cron job that executes the id.sh
That’s it for now Guys till next time Take care and as we are facing this pandemic COVID-19 stay safe follow rules given by W.H.O because every life matters.Peace Guys