tomghost
Type: #TryHackMe
Links: https://tryhackme.com/room/tomghost
This room will allow me to start completing the ‘Starter Series’ on TryHackMe; a series of beginner ctfs to assist with developing my penetration testing skills.
Starting the Machine within TryHackMe, I opted to use a flag -sV with my nmap script to enumerate versions of the services running on the target machine, the command resulted in the enumeration of port 22/ssh, version 7.2p2, port 53, port 8009/ Apache Jserv (v1.3), port 8080 Apache Tomcat 9.0.30.
As good practice, I decided to view the page source first, this did not present any findings. The site looks like it has been set-up but not configured. I ran a gobuster scan in the background and as the versions of the software were enumerated, I checked https://www.exploit-db.com for usable exploits.
Apache Tomcat - AJP ‘Ghostcat’ File Read/Inclusion (Metasploit) was found and can be used as it matches the version found on the misconfigured website.
I set the RHOSTS to 10.10.116.211, the other options were usable as default as the Jserv was running on port 8009 and tomcat was running on port 8080
These credentials can be then used to log in via SSH on port 22
The first flag was found under the user merlin’s home directory. After this, I tried privilege escalation attempts that worked on previous machines.
Within the user’s directory were credential.pgp and tryhackme.asc, pgp is an encryption system and .asc is an ASCCI file used by Pretty Good Privacy (PGP).
I transfer this file back to my host and used gpg2john to create a hash
This hash can then be cracked using john and the rockyou.txt wordlist.
gpg –import tryhackme.asc can be used with the cracked password.
After –decrypt can be used to get merlin’s password.
Logging in as merlin, Using sudo -l i can see that /usr/bin/zip can be run without a password.
Looking at /zip in GTFOBins root can be gained by making a temp folder, zipping it and then removing it from the file system.
The last flag is found within the /root directory.
This CTF was initially easy to exploit using CVE-2020-1938, I found gpg harder to use initially as I have never used it before, but privilege escalation using merlins account was easier as I am learning more about SUIDs and basic privilege escalation from previous boxes.