.png)
9 months ago
80 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello guys 👋 I’m back with another walkthrough, this time tackling on tomghost Lab from TryHackMe.
Let’s identify recent vulnerabilities to exploit the system or read files that you should not have access to.
So, let’s start solving this lab 🤝.
As always we will start enumerating the box. So, we’ll start off with a nmap scan.
After executing the command, we can see the open ports and services running. Here, 3 ports are open i.e. SSH, AJP13 and HTTP.
Let’s go with port 8080 where we can see the tomcat version.
Since there isn’t much information available, I’ll concentrate on CVE-2020–1938. If the AJP port is exposed, Tomcat might be susceptible to the Ghostcat vulnerability.Further investigation reveals that an attacker who successfully exploits the Ghostcat vulnerability will be able to see the configuration and source code of every web application installed on Tomcat.
To exploit the Ghostcat vulnerability, we can get the proof-of-concept from the following GitHub repository:
https://github.com/00theway/Ghostcat-CNVD-2020-10487
Let’s clone the repository and then we can run the POC.
Command: python3 ajpShooter.py http://<IP> 8009 /WEB-INF/web.xml read
When we run the script, we can view the contents of the /web.xml file. In this file, we can see certain credentials that appear to be those of the user: password for SSH.
Let’s try to login using the discovered credentials to ssh.
Command: ssh skyfuck@<IP>
So, we are successfully able to login. Here we can find our first flag.
If we can see there were 2 files i.e. credentials.pgp and tryhackme.asc. We will download this files to our local machine to investigate.
Command: ./gpg2john tryhackme.asc > hash
Now, let’s try to crack it.
Command: john — wordlist=/usr/share/wordlists/rockyou.txt hash
We will have the password to open the PGP file after John breaks the hash file.
Commands:
gpg — import tryhackme.asc
gpg — decrypt credentials.pgp
Now it’s time to escalate out privileges to become the user merlin
We’ve got Merlin’s credentials, we understand what a password looks like:
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j
We have the ability to switch to Merlin’s account by using “su merlin”.
So, now that we can run the zip binary as root, let’s go through GTFOBins for an exploit:
Now that we have root, let’s view the file from the /root directory:
Hurray ✌️, we have successfully solved the tomghost. Thank you for sticking around.
Bengali (Bangladesh) · 
English (United States) ·