Tomghost
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,53,8009,8080
(-oN nmap): Saving it into a files called nmap
Enumeration
Lets visit the webserver on port 8080.
Its an Apache Tomcat/9.0.30 service page, we can't find anything interesting on this page.
Lets look at the service running on port 8009 which is ajp13
, a binary protocol that allows to reverse proxying requests from a Web Server to a Application Server. Lets look for exploits on this service.
The second exploit in this list is just what we are working for, so lets read the exploit and look at how to use it, to do this we need to copy the exploit to our directory.
Exploitation
Looking at the exploit, it just looks like we need to run the exploit against the IP of the target machine.
And we found credentials, we can use these to login through ssh.
We can read the user file which can be found with this command
Privilege Escalation
Looking in the current directory we are in there are two files.
One is credential.pgp which is a encrypted pgp (Pretty good privacy) file. The other is tryhackme.asc which is a ASCII armour
file.
First we need to import the asc
file and then decrypt the credential.pgp
file.
It looks like we need a password so lets first copy this file to our machine and then crack the password using Johntheripper
.
Next we need to find the hash using gpg2john
and then crack it using john
.
After cracking it you get the password alexandru
Now you can decrypt the pgp file.
We found credentials to another user, lets switch users to merlin.
Lets run sudo -l
to see what we can run as root.
Looks like we can run /usr/bin/zip
so lets go to GTFOBins and look for the commands to privilege escalate to root.
Once we run these commands we get root.
We are now root and now we can read root.txt and answer the last question of this room.
Last updated