Thompson
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,8009,8080
(-oN nmap): Saving it into a file called nmap
Enumeration
Lets visit the site on port 8080
Its a Apache Tomcat page, there is a Manager App tab, lets click it and see what it says
We need a username and a password, we do not have one, so lets click cancel, once we do , we get this page.
We have a username and a password, lets use these credentials to login
We are logged in. Looking through application manager, we see something interesting
We can upload WAR
files, now we can make a war file payload that will give us a reverse shell on the machine.
Exploitation
Lets first make the payload, make sure to replace my IP with yours
Lets upload the file, click on browse and select the file
And hit deploy, now you should see the file
Now lets start a netcat listener
Now click on the file and you should get a reverse shell
Lets stabilize the shell with these commands
We can read the user.txt
file
We have two other files in the directory, lets look at what they contain
It looks like the id.sh
file is running the id command and sending the output to the file called test.txt
. Lets check the cronjobs running on this machine
Looks like it is reading the files in /home/jack
, so lets transfer the root flag to this directory by adding the command in the id.sh
file and then read it.
We can edit the file using nano
or we can use this command
Once we do this, we should see the root.txt
file in our directory and we can read it.
Last updated