Thompson Walkthrough-TryHackme
Enumeration
NMAP :
We can see that port 8080 is running apache tomcat manager
It’s a default Apache website. I’ve checked the page source but nothing valuable
Lets use dirb Buster and find some directories in the ports
There was directory named manager then prompted for it and it asked for username and password and clicked cancel then i got some banner with some information
In that banner I noticed that username and password admin:s3cret
So used it to login and it was successful
In this server manager we can upload war files of java and store in the server
so I thought of uploading a reverse shell of .war extension and upload it to the server
Then used metasploit to expolit the server with username password
Used the above authenticated upload and exploited and got the reverse connection
Privilege Escalation
There is a script called “id.sh”. What it does is that print id command’s result to test.txt. Read the content of test.txt
Now i know that there will be a cronjob. This cronjob will run id.sh as root. So let’s check if I can modify the content of this script.
I was able to modify the script and added the bash spawning payload with a bash reverse shell
And started the reverse listener
Got the reverse connection !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!