Through The Looking Glass
Author
Shirish Ranjan
A padawan in the ways of red teaming and blogging with the goal of mastering techniques in hacking into anything this world has to offer
Shirish Ranjan
A padawan in the ways of red teaming and blogging with the goal of mastering techniques in hacking into anything this world has to offer
Thompson We are going to solve the room named Thompson in the TryHackMe website. Getting into the Machine After deploying the target machine in the TryHackMe room the first step is to perform an nmap scan which is necessary to check which services are running and the open ports associated with them. Port 8080 is open lets check it out once to get more details on the server running there. The Apache Tomcat 8.5.5 service webpage is showing up and is running, lets try to open the Manager App by selecting the option which is present on the right. Performing directory busting using gobuster just yields the same results as the options present on this page. The manager app's credentials is necessary because the exploit we are going to use requires it. It is known as the WAR Backdoor and it's details are present in this link: CVE-2017-12617. Well its asking for a the proper credentials to access that part of the service. Lets see if we can find the credentials using the nikto scanner or we can also enter random credentials, but after we do that and close the manager login tab we are redirected to a page which contains those credentials. Now that we have found the default credentials to the manager app lets try logging in. Once we log in we get directed to the tomcat web application manager page. This is where we will perform the exploit by uploading the WAR file. Before we do the uploading we need to generate the file first. Using msfvenom we will generate a reverse shell. Just need to assign your IP address to the LHOST. Once the file is generated start listener in a seperate terminal on your machine using netcat and the port that you entered as the one for the generation of the reverse shell. Now upload the WAR file that was created using msfvenom and deploy it by entering the file's name after the website's URL which will give us the reverse shell. Now that we have access to the machine let's find the user.txt file which has the user's flag. And the only user present in the home directory is Jack. Inside this directory we can find the user.txt file. |
Author
|