TomGhost CTF (THM)
Scanning And Enumeration
βββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββ
NMAP SCAN
βββββββββββββββββββββββββββββββββββββββββββββ
Using NMAP I found out that thereβs not typical web server at port 80 but thereβs a web server at port 8080 which would be our tomcat server.
It has a Apache Jserv running at port 8009
A tcp server at port 53
A SSH service at port 22
βββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββ
FINDING EXPLOIT
βββββββββββββββββββββββββββββββββββββββββββββ
I searched for TOMCAT exploits and I was facing many errors. Going through one of the write-ups I found out that there is a program called ajpShooter on GitHub.
I downloaded the program and executed it with the help of the Github repository.
βββββββββββββββββββββββββββββββββββββββββββββ
By using ajpShooter.py I found out a username and password for SSH probably.
βββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββ
Login into SSH
βββββββββββββββββββββββββββββββββββββββββββββ
After logging in I found out two files shows below and I downloaded those files to the local machine.
βββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββ
One of the file i.e. ββcredential.pgpββ is encrypted and other file ββtryhackme.ascββ contains the key for the encryption.
Using ββgpg2johnββ I got the the password hash for the key.
Using ββJohnββ I cracked the hash.
βββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββ
Then I imported the key using βgpgβ command and then decrypted the file.
βββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββ
Finally I got the username and password for ββmerlinββ.
βββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββ
Logging in with Username - Merlin
βββββββββββββββββββββββββββββββββββββββββββββ
After logging in into ssh I ran ββsudo -lββ to find a easy privesc
βββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββ
PRIVESC
βββββββββββββββββββββββββββββββββββββββββββββ
I found out that user - ββmerlinββ can run zip command as a superuser
βββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββ
Using GTFOBINS I found out the command to escalate privilege and finally got a root shell
βββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββ
Last updated
Was this helpful?