VulnNet: dotjar TryHackMe Walkthrough

Hello guys back again with another walkthrough this time we’ll be tackling VulnNet: dotjar from TryHackMe. Yet another amazing box from TheCyb3rW0lf. I really loved the box and it starts off us finding a a tomcat web application that is vulnerable to ghostcat vulnerability. A vulnerability that we’ve exploited before in a room called tomghost which is also on TryHackMe. We use the vulnerability to leak some credentials which we then use those credentials to upload a malicious war file what gives us remote code execution on the box. Next we find that the shadow backup file is world readable and inside it has a valid hash for jdk-admin user. We crack the hash using john the ripper and get a password that allows us to log into the box as the jdk-admin user then find out that we can run any jar files as the root user. We write of java program that allows us to read files and execute commands on the system and also create a new user with root privileges on the box. It was a really fun box without much say let’s jump in

As always we’ll start off by running a nmap scan on the box to find the ports that are open

Looking at the result of the nmap scan we find that there are two ports that are open on the box. Port 8080 and 8009. Looking at the version of tomcat online we’ll find that it’s vulnerable to ghostcat vulnerability. But we’ll look at it later.

Opening the webpage using Mozilla we get the default Apache tomcat webpage

Clicking on the manager App link it brings us to a login page

I tried default credentials for tomcat but they all failed. I always got an access denied error message

But remember before we had a tomcat version leak from the nmap scan. Going online to look for exploit it came back with some results

Reading through the proof of concepts articles this vulnerability allows an attacker to read arbitrary files present in the tomcat server. I also found POC exploit code in GitHub. I downloaded the exploit code to my box

Next i executed the exploit using the command below

python3 8009 /WEB-INF/web.xml read

Looking at the output below we were able to read the web.xml file from the server

Looking through the XML file we get some credentials

Sweet. Next i went back to the tomcat server and tried logging into the web application using those credentials but looking at the screenshot below i still got an access denied error message

But going to read through the web.xml config file a second time i saw that the user did have Graphical user interface (GUI) access to the web application meaning the user didn’t have the manager-gui role in the web application. But we still had the command line interface access to the web application so i decided to create a malicious war file using msfvenom which i could later upload to the web application

Now that we have the reverse shell war payload ready let’s upload it to the web application using curl

Looking at the screenshot above we see that the war file was uploaded successfully. Next i created a netcat listener on my box

And again executed the payload using Mozilla

Going back to my listener i had a shell on the box

Just as a fun exercise i created a python script that does similar function as the curl command and gives you a semi interactive shell(meaning it’s not persistent)

The link to the source is here below


Next i upgraded my shell to get a fully interactive TTY shell

Next i ran linpeas which does check for misconfigurations that would allow an attacker to perform a privilege escalation on a system. And i found an interesting backup file which i had read access

I had access to read the shadow backup

Next i copied the shadow backup to /dev/shm and extracted it’s contents

Looking at the screenshots we have the hashes for any user that has login access on the system. I had interest on the jdk-admin user’s hash since it was the next logical step to escalate our privilege access on the box

I copied his hash to my box and tried cracking it with john the ripper

Looking at the screenshot below after a few minutes we get the password for the user jdk-admin

Sweet!!. I tried accessing his account using those credentials and it worked!!. I was able to escalate my privilege to the jdk-admin user

Running sudo -l we see that the user jdk-admin can run any jar file as the root user

I decided to create a jar file that did multiple function like:

  1. reading the root flag from the system
  2. creating a user called musyoka with the password musyoka that had root access on the system
  3. Create an interactive root shell on the system

First i had to create an md5 hash which i could add to the passwd file

Then created my java exploit using Intelijj

Then compiled the code from my box and uploaded it to the box and tried executing it but got an error message

I came to realize that i compiled my java code using version 11 but the system was running java 8 as the default version. So compiled my code using an online java8 compiler

Looking at the screenshot below we see that the code was compiled successfully

I downloaded the compiled version using the download zip option from the server

And copied the zip to my current working directory and then unzipped it

I copied the Main.jar file to the server

And tried executing it again and looking at the screenshot below it works perfectly

We were able to extract the root flag from the box looking at the screenshot above and looking at the screenshot below we can also execute system command as the root user

We also created a user called musyoka on the box. Let’s see if it worked by trying to login as the musyoka user

Looking at the screenshot above it worked we are again root on the box!!!

And the box is done!!!!. I hope you enjoyed the walkthrough if so clap for me down below and make sure to follow me so that you don’t miss any upcoming walkthroughs. And always i recommend learning how to code in multiple language because it always comes in handy soon enough

The java exploit is available on my GitHub page

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(, ExploitDB(