Introduction
boot2root machine for FIT and bsides guatemala CTF
This is Thompson from THM. It’s the last one of the bsides guatemala boxes. This one took me 13 minutes. I’m on a roll.
Ports
SSH and an HTTP proxy on port 8080. We’ve got a picture of Tomcat, so it’s probably that, yes?
8080
So, let’s try some default credentials for the manager app:
tomcat:tomcat - no
tomcat:s3cret - yes
That was easy. Okay so now we need a war file:
We are on.
Privesc
Let’s look around:
Okay, so we have one user with a shell script that we can’t run but which appears to have been run by root. Hmmm. Let’s check the crontab:
So there it is; a cron job running as root and executing our shell script. We’ll append some code for a reverse shell and start a new listener:
Great, let’s check our listener:
And another one done.