Introduction
TryHackMe: Thompson was first released for the FIT and bsides Guatemala CTF. To get right into it, Thompson’s server is running a default installation of Tomcat, with default administrator credentials. We gain initial access to the web server by uploading a malicious war file. Then misuse file permissions to read protected files.
Information Gathering
In a CTF-like fashion, there is no prior information about this engagement. The goal of this room is to find, get access, and read the user.txt and root.txt flags.
The Nmap scan indicates that there are three ports open. The services running are SSH, Apache Jserver, and Apache Tomcat.
By opening the browser, we navigate the website hosting Tomcat on port 8080. This is a default installation of Apache Tomcat version 8.5.5. Tomcat is an open-source Java web application server.
Have a look around on the Apache Tomcat dashboard. The Server Status displays general server information, system resources, and service status. Manager App provides basic functionality to deploy web apps. The Host Manager’s purpose is to deploy, configure, and manage virtual hosts. You can access these services by using Tomcat’s default credentials, tomcat:s3cret.
Exploitation
Welcome to the Tomcat Web Application Manager for all your web app needs.
The file type we use to deploy a web app is a war file. War stands for Web Application Resource and it is used to package web applications that we can deploy on any Servlet/JSP container.
Using the payload above, we can craft a malicious war file named shell3.war. This is a reverse TCP shell, meaning we can upload the file and have it connect back to our attacking machine. msfvenom is a repository of payloads that can be crafted into many extensible files.
Run Metasploit’s multi-handler module and launch the malicious payload by opening it on your web browser. The shell will connect to our machine, and we now have access to the victim server.
Post Exploitation
Let’s get our bearing now that we are on the machine. We can see that we are the tomcat user of the system and in the root directory. The user.txt file lives in Jack’s home directory, and we have permission to read the file.
Looking at the rest of the contents in Jack’s home directory, we see a file named id.sh. The purpose of this file is to execute the id command and output it into the test.txt file.
Let’s take a look closer at the highlight portion above. We can see that the file’s permissions allow anyone to read, write, and execute this file. Meaning that we can potentially change the contents of the file.
With the following bash command, we can change the contents of the id.sh file without changing any of the permissions or ownership of the file.
echo "cat /root/root.txt > test.txt" > id.sh
Finally, we can cat out the test.txt file and find the root.txt file contents inside of it!
Conclusion
To conclude, TryHackMe: Thompson presented a nice challenge for FIT and bsides Guatemala CTFs. In my experience, gaining initial access to Tomcat’s system was trivial but I enjoyed misusing file permissions to read protected files. Running web applications like Tomcat with default credentials is asking for your system to get owned!
