TomGhost CTF (THM)

Scanning And Enumeration

—————————————————————————————————————————————

—————————————————————————————————————————————

NMAP SCAN

—————————————————————————————————————————————

Image

Using NMAP I found out that there’s not typical web server at port 80 but there’s a web server at port 8080 which would be our tomcat server.

It has a Apache Jserv running at port 8009

A tcp server at port 53

A SSH service at port 22

—————————————————————————————————————————————

—————————————————————————————————————————————

FINDING EXPLOIT

—————————————————————————————————————————————

I searched for TOMCAT exploits and I was facing many errors. Going through one of the write-ups I found out that there is a program called ajpShooter on GitHub.

I downloaded the program and executed it with the help of the Github repository.

Image

—————————————————————————————————————————————

By using ajpShooter.py I found out a username and password for SSH probably.

—————————————————————————————————————————————

Image

—————————————————————————————————————————————

Login into SSH

—————————————————————————————————————————————

After logging in I found out two files shows below and I downloaded those files to the local machine.

—————————————————————————————————————————————

Image

—————————————————————————————————————————————

One of the file i.e. ‘’credential.pgp’’ is encrypted and other file ‘’tryhackme.asc’’ contains the key for the encryption.

Using ‘’gpg2john’’ I got the the password hash for the key.

Using ‘’John’’ I cracked the hash.

—————————————————————————————————————————————

Image

—————————————————————————————————————————————

Image

—————————————————————————————————————————————

—————————————————————————————————————————————

Then I imported the key using ‘gpg’ command and then decrypted the file.

—————————————————————————————————————————————

Image

—————————————————————————————————————————————

Image

—————————————————————————————————————————————

Finally I got the username and password for ‘’merlin’’.

Image

—————————————————————————————————————————————

—————————————————————————————————————————————

Logging in with Username - Merlin

—————————————————————————————————————————————

Image

After logging in into ssh I ran ‘’sudo -l’’ to find a easy privesc

—————————————————————————————————————————————

—————————————————————————————————————————————

PRIVESC

—————————————————————————————————————————————

I found out that user - ‘’merlin’’ can run zip command as a superuser

—————————————————————————————————————————————

Image

—————————————————————————————————————————————

Using GTFOBINS I found out the command to escalate privilege and finally got a root shell

—————————————————————————————————————————————

Image

—————————————————————————————————————————————

—————————————————————————————————————————————

—————————————————————————————————————————————

Last updated

Was this helpful?