Thompson – Try Hack Me

This is considered an easy room. Who’s getting his way into pentesting will learn how to create a shell using msfvenom and leveraging a file with wrong permissions to read the root flag.

Let’s start with a NMap Scan:

We notice that Apache Tomcat is running on port 8080. Let’s access it.

The first thing i checked out was to see if there are default credentials. So i clicked Manager App and used the user tomcat and the password s3cret. And for my surprise, i managed to login.

Since we are logged in, we can create a .WAR payload using msfvenom and get a reverse connection.

Before uploading the shell, let’s set up a metasploit listener.

Now it’s time to upload the shell and get the reverse connection. Access the web manager, upload the .WAR shell, and click on it.

And boom, here is the reverse connection. Interact with the metasploit session, and acces to home directory of the user jack. There’s the user flag.

I notice that there is a bash script owned by the user jack. Reading it i saw that id prints the ID command to test.txt. We can leverage that to read the root flag.

How to do that? Mwell… we’ll echo a command to read the root flag.

Before executing the bash script, spawn a TTY shell. I used python for that.

This is it, there’s the root flag. As i said, it is an easy vulnerable machine. Hope you learned something.