TomGhost CTF (THM)
Scanning And Enumeration
—————————————————————————————————————————————
—————————————————————————————————————————————
NMAP SCAN
—————————————————————————————————————————————
Using NMAP I found out that there’s not typical web server at port 80 but there’s a web server at port 8080 which would be our tomcat server.
It has a Apache Jserv running at port 8009
A tcp server at port 53
A SSH service at port 22
—————————————————————————————————————————————
—————————————————————————————————————————————
FINDING EXPLOIT
—————————————————————————————————————————————
I searched for TOMCAT exploits and I was facing many errors. Going through one of the write-ups I found out that there is a program called ajpShooter on GitHub.
I downloaded the program and executed it with the help of the Github repository.
—————————————————————————————————————————————
By using ajpShooter.py I found out a username and password for SSH probably.
—————————————————————————————————————————————
—————————————————————————————————————————————
Login into SSH
—————————————————————————————————————————————
After logging in I found out two files shows below and I downloaded those files to the local machine.
—————————————————————————————————————————————
—————————————————————————————————————————————
One of the file i.e. ‘’credential.pgp’’ is encrypted and other file ‘’tryhackme.asc’’ contains the key for the encryption.
Using ‘’gpg2john’’ I got the the password hash for the key.
Using ‘’John’’ I cracked the hash.
—————————————————————————————————————————————
—————————————————————————————————————————————
—————————————————————————————————————————————
—————————————————————————————————————————————
Then I imported the key using ‘gpg’ command and then decrypted the file.
—————————————————————————————————————————————
—————————————————————————————————————————————
—————————————————————————————————————————————
Finally I got the username and password for ‘’merlin’’.
—————————————————————————————————————————————
—————————————————————————————————————————————
Logging in with Username - Merlin
—————————————————————————————————————————————
After logging in into ssh I ran ‘’sudo -l’’ to find a easy privesc
—————————————————————————————————————————————
—————————————————————————————————————————————
PRIVESC
—————————————————————————————————————————————
I found out that user - ‘’merlin’’ can run zip command as a superuser
—————————————————————————————————————————————
—————————————————————————————————————————————
Using GTFOBINS I found out the command to escalate privilege and finally got a root shell
—————————————————————————————————————————————
—————————————————————————————————————————————
—————————————————————————————————————————————
—————————————————————————————————————————————
Last updated
Was this helpful?