Thompson[THM]: Writeup

A write up covering steps taken to solve Beginner level CTF : Thompson room in TryHackMe platform.

This blog is written as part of task of Masters Certification in Red Team Program from HackerU.

Step 1 : Connect to TryHackMe and start target machine.

  1. Download OpenVPN configuration setting from TryHackMe platform
  2. Connect to TryHackMe by running the command in kali terminal:

sudo openvpn /pathtoOVPNfile.ovpn

3. Start machine in ‘thompson’ room — target ip address will be displayed in a minute.

https://tryhackme.com/room/bsidesgtthompson

Step 2 : Information gathering using Nmap

  1. Start nmap scan of the target ip:

nmap -A -O <target ip>

Step 3: Detailed Findings

Open Ports:

22 : ssh

8009: ajp13

8080: http Apache Tomcat 8.5.5

  1. Accessing port 8080
port 8080

2. With random exploration, Clicked on ‘Host Manager’ link, initial login credentials are displayed

3. Click on ‘Manager App’ button and enter above found credentials.

4. Upload php reverse shell under ‘WAR file is deploy’ sectionwith extension .war updated with kali ip in the file.

test.war uploaded

5. Click on uploaded ‘test.war’ file, Start netcat listener on kali and get the shell

nc -nlvp 1234

6. Found user.txt, checking for crontab permission > bash id.sh has permission for running every minute, changes made in this file will be reflected

user.txt

cat /etc/crontab

7. Make changes to id.sh and wait for sometime for changes to reflect

echo “cp /root/root/txt /home/jack/root.txt”> id.sh

cat /root/root.txt > test.txt

found root flag

root flag!

With these steps, I was able to find both user.txt and root.txt flags required to complete Thompson room on TryHackMe.

Thank you for reading this blog..

Software Tester