Step 1 : Connect to TryHackMe and start target machine.
- Download OpenVPN configuration setting from TryHackMe platform
- Connect to TryHackMe by running the command in kali terminal:
sudo openvpn /pathtoOVPNfile.ovpn
3. Start machine in ‘thompson’ room — target ip address will be displayed in a minute.
Step 2 : Information gathering using Nmap
- Start nmap scan of the target ip:
nmap -A -O <target ip>
Step 3: Detailed Findings
Open Ports:
22 : ssh
8009: ajp13
8080: http Apache Tomcat 8.5.5
- Accessing port 8080
2. With random exploration, Clicked on ‘Host Manager’ link, initial login credentials are displayed
3. Click on ‘Manager App’ button and enter above found credentials.
4. Upload php reverse shell under ‘WAR file is deploy’ sectionwith extension .war updated with kali ip in the file.
5. Click on uploaded ‘test.war’ file, Start netcat listener on kali and get the shell
nc -nlvp 1234
6. Found user.txt, checking for crontab permission > bash id.sh has permission for running every minute, changes made in this file will be reflected
cat /etc/crontab
7. Make changes to id.sh and wait for sometime for changes to reflect
echo “cp /root/root/txt /home/jack/root.txt”> id.sh
cat /root/root.txt > test.txt
found root flag
With these steps, I was able to find both user.txt and root.txt flags required to complete Thompson room on TryHackMe.
Thank you for reading this blog..
