TryHackMe - Tomghost
Last updated
Last updated
We can not access Server Status, manager app and host manager (access denied)
This port was unexpected. When looking up online there is a reference to CVE-2020-1938 aka Ghostcat so with the name of the room this is a big hint that we need to use it.
It is specify that we need to launch it like this usage: 48143 [-h] [-p PORT] [-f FILE] target
In the home of our initial user there are 2 interesting files that are worth checking tryhackme.asc
and credential.pgp
We take them in our kali using ftp in our kali we type python3 -m pyftpdlib -p 21 --write
From our target we connect to our kali with ftp and put both files
Using the password found we can now read the pgp file
We have a tomcat server
As usual hacktricks have a great resource about it
Let's get the mentioned in the article and try it out
Let's first try to get WEB-INF/web.xml
And it works we have creds!
The creds works for ssh
If we do an ls on the home folder, we have 2 directories merlin and the one of the user we got initially. The user.txt flag is in the merlin directory.
We can now try to crack the file gpg2john tryhackme.asc > hash
and then we can try to crack it using rockyou.txt as wordlist john --wordlist=/usr/share/wordlists/rockyou.txt hash
. It works we get a password
In our target we type gpg --decrypt credential.pgp
it works we get merlin credentials and can laterally move to this user using su merlin
If we sudo -l
with our new user here is what we get
Let's checkout
Using the commande provided we get root and can get our flag