Tomghost
https://tryhackme.com/room/tomghost
Nmap
Port 8080 is running Tomcat as shown below:
Port 8009 is running ajp13. Researching this service shows this is a port that runs alongside Apache Tomcat. A brief description of this service is shown below:
Ajp13 protocol is packet-oriented TCP protocol, by default this service runs on port 8009. AJP13 protocol is a binary format, which is intended for better performance over the HTTP protocol running over TCP port 8080.
Researching exploits for this service we can see a vulnerability known as Ghostcat. This exploit (CVE-2020-10487) allows us to read local files in the Tomcat web directory and even configuration files. Below is a PoC for this on Github.
First download the python file and run with the following syntax:
We now have the credentials: skyfuck:8730281lkjlkjdqlksalks Using the gathered cerednetials we are then able to connect by SSH.
The home directory for skyfuck contains a file called tryhackme.asc. The file can be used to decrypt the contents of credential.pgp.
First we need to copy the contents of tryhackme.asc to our attacking machine then use gpg2john to create a hash of the file. After completing this John can be run to crack the passphrase.
Then on the SSH session import the key then attempt to decrypt the credential.pgp file with gpg -d.
Which we can then SSH in as the user 'merlin'.
Running sudo -l on the user shows we can run the zip binary as root without supplying a password. Refering to GTFOBins at https://gtfobins.github.io/gtfobins/zip/. Shows for the zip binary we can gain a root shell running:
Last updated
