Tomghost - TryHackMe Writeup
The link for this lab is located here: https://tryhackme.com/room/tomghost
Admins Note: This room contains inappropriate content in the form of a username that contains a swear word and should be noted for an educational setting. - Dark
Full Walkthrough
The first thing we can do is run an Nmap scan to identify any open ports with the following parameters:
-p- for all ports
10.10.79.168 for the target IP
-oN allports.scan to output in Nmap format
This reveals 4 ports being open - SSH, DNS, ajp13 and http-proxy. To gather more information, we can run a more detailed scan on the open ports that were found.
This reveals information like Apache Jserv is running on port 8009, Apache Tomcat 9.0.30 is running on port 8080 indicating a webpage.
With this information, we can first try navigating to port 8080 and see what’s on the webpage.
It just seems to be the default Apache Tomcat webpage. From here, we can check if we have access to things like the Manager App or Host Manager as if so, this becomes trivial.
Unfortunately, we get a 403 Access Denied when we try to click on either of them.
The next thing we can do is try and find any exploit for the current Tomcat version being ran - Apache Tomcat 9.0.30.
This returns a couple of results pertaining to something titled “Ghostcat” - keep this in our back pocket.
Additionally, Apache Jserver was also running on port 8009 - we can try googling for any exploit relating to that service as well to make sure.
Again, we get results relating to Ghostcat - this seems like the way in. Clicking on some of these articles (i.e. Qualys.com result), we can see that this vulnerability affects various Tomcat versions including 9.0.30 - our version!
Additionally, we find several Exploit-DB links relating to Ghostcat including a File Read/Inclusion through Metasploit and manually.
With this information, we can try it without using Metasploit. First, we download the Python script locally and rename it “ghostcat.py”
Once downloaded, we can try running it through Python2 and list out the parameters needed to run it via the “—help” option.
Here, we can see that we have to provide the IP, the port and the file with the example being WEB-INF/web.xml - this is also present in the source code if you read it.
After running it, we can see that it works and we are able to read that file. However, more interestingly, that file contains what appears to be credentials for someone called skyfuck.
Remembering back to the Nmap scan, we can try to SSH in using these found credentials.
It works! Once we are in, we can try getting some easy wins. An important thing to check is the BASH history.
Here, we can see that this user was downloading an ASC and PGP file. Next, we can check the sudo permissions - we don’t have any.
From here, we can list the contents of the current directory and see those 2 files that were downloaded - ASC and PGP files.
Seeing these files, we can grab them and download them to our local attacker machine using SCP.
Then, we can perform research on what these files are.
The ASC file seems to be used for encryption for email or other media.
Doing some more research, it seems that we can decrypt files using GPG. And we find many articles and videos relating to cracking ASC files.
The following image is a forum post that explains how we can crack these files using John the Ripper.
Knowing this, we can try and crack this file. First, we use gpg2john to output it into a file called crackme.gpg. Then, we can cat out the contents of that file.
Then, we can use John the Ripper with rockyou.txt to attempt to crack the password.
It works and we get the password revealed as "alexandru”. With this cracked password, we can then import the ASC file into GPG and then decrypt the credential.pgp file using the password we just found.
This reveals credentials for a user called merlin and his password. With these credentials, we can try to SSH in using merlin’s account.
Once again, we get a successful SSH shell as merlin. From here, we try and find easy wins.
Bingo! We find that merlin has SUDO permissions to run /usr/bin/zip without a password.
Time to call on our best friend - GTFOBins.
GTFOBins tells us that zip does not drop the elevated privileges and can be used to escalate privileges.
We can try running the recommended commands.
Once ran, we get a root shell! With this new privilege, we can cat out the contents of the root.txt and finish this room.