Thompson is another beginner-friendly room on TryHackMe.com based on the exploitation of AJP (Apache JServ Protocol). If done right completing this room won’t take more than 15 to 20 minutes as it is pretty easy.

Initial Enumeration

The first that we must do is run an nmap scan against the machine’s IP address in order to determine the various ports open on the machine.

We can see that on port 8080 Apache Tomcat is running which suggests we can try to access it via a web browser at <ip_address>:8080.

And there we land on the Apache Tomcat default page. We can try to access the Manager App as from there we can access Tomcat’s dashboard. But when we click on that link, it asks us for a username and password which we don’t know.

We can try some default credentials like admin:admin or any other but they don't work. But when we click on the cancel button it leads us to an unauthorized access error page.

And on the same page, we can find the username and password which we can use to access the application manager.

Now, we have access to the application manager. One thing to note is that in the application manager we have an option to upload a WAR file. So, we can create a custom payload using msfvenom, upload it on the server and gain a reverse shell to the machine.

We can search on the internet beforehand to be sure that this method works. One such article can be found here. So, now we can move ahead and create a payload using msfvenom.

This command basically creates a reverse shell payload with the local host IP address and local port on which it should connect, and stores it in a war file.

Switches used:

-p: Determine the payload that is to be used

-f: Determine the output file type

LHOST: IP where the victim machine should connect (Attacker’s IP address)

LPORT: Port on which the victim machine should connect (Where attacker would be listening)

Now, we can upload this war file through the application manager.

Once uploaded, we can access this file at <ip_address>:8080/shell. Note that before accessing the file, start a listener on the attacker machine using the command nc -nvlp 4444. And as soon as the file has been accessed we get a reverse shell on our attacker machine:

Now, we can move around and look for the user flag in the /home directory.

And there we get the user flag.

Privilege Escalation

The next task is to obtain the root flag. Also, in user jack’s directory, we can see an executable file id.sh. We can try to check what is its function as it appears to be a bit suspicious.

It appears that it read the id and writes it down to a file named test.txt. This text file is also present in jack's directory, so we can read it and get to know what user privilege this shell script is being executed.

The content of text.txt makes it clear that this script is being executed with root privileges. So, all we need to do is modify the content of id.sh to read the root flag and write it down to test.txt. This can be done using a simple echo command:

Now, as this is being run by a cronjob we must wait for some time and read the test.txt file to get out root flag.

Reference Links

  1. TryHackMe-Thompson: https://tryhackme.com/room/bsidesgtthompson
  2. Exploiting Tomcat Manager: https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/

Do check out my other work and write-ups at https://github.com/0xNirvana

Just another CyberSec Guy