# TryHackMe - Tomghost * [Room](https://tryhackme.com/room/tomghost) ## Nmap ``` ┌──(root💀kali)-[~] └─# nmap -T4 -sC -sV -O -Pn -p- 10.10.80.104 1 ⨯ Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-03 10:16 EDT Nmap scan report for 10.10.80.104 Host is up (0.22s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA) | 256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA) |_ 256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519) 53/tcp open tcpwrapped 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: |_ Supported methods: GET HEAD POST OPTIONS 8080/tcp open http Apache Tomcat 9.0.30 |_http-favicon: Apache Tomcat |_http-title: Apache Tomcat/9.0.30 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.92%E=4%D=7/3%OT=22%CT=1%CU=30334%PV=Y%DS=4%DC=I%G=Y%TM=62C1A6D5 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=105%TI=Z%CI=I%II=I%TS=8)OPS( OS:O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST11 OS:NW7%O6=M506ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN( OS:R=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R= OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F= OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD= OS:S) Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 548.88 seconds ``` ## Port 8080 * We have a tomcat server\ ![image](https://user-images.githubusercontent.com/96747355/177050281-8c89a45b-b168-4bbb-8e59-417cf7d0077f.png) * We can not access Server Status, manager app and host manager (access denied) ## Port 8009 * This port was unexpected. When looking up online there is a reference to CVE-2020-1938 aka Ghostcat so with the name of the room this is a big hint that we need to use it. * As usual hacktricks have a great resource about it [here](https://book.hacktricks.xyz/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp) * Let's get the [exploit](https://www.exploit-db.com/exploits/48143) mentioned in the article and try it out * It is specify that we need to launch it like this `usage: 48143 [-h] [-p PORT] [-f FILE] target` * Let's first try to get `WEB-INF/web.xml` And it works we have creds!\ ![image](https://user-images.githubusercontent.com/96747355/177053568-a50be767-3b09-4b54-b642-6a951c822c4d.png) * The creds works for ssh\ ![image](https://user-images.githubusercontent.com/96747355/177053674-b5e9376b-7d5c-4a02-a324-41e97a30375c.png) * If we do an ls on the home folder, we have 2 directories merlin and the one of the user we got initially. The user.txt flag is in the merlin directory.\ ![image](https://user-images.githubusercontent.com/96747355/177053844-db23a335-4dd7-4020-b601-60ba6060ce00.png) * In the home of our initial user there are 2 interesting files that are worth checking `tryhackme.asc` and `credential.pgp` * We take them in our kali using ftp in our kali we type `python3 -m pyftpdlib -p 21 --write` * From our target we connect to our kali with ftp and put both files * We can now try to crack the file `gpg2john tryhackme.asc > hash` and then we can try to crack it using rockyou.txt as wordlist `john --wordlist=/usr/share/wordlists/rockyou.txt hash`. It works we get a password\ ![image](https://user-images.githubusercontent.com/96747355/177224792-dc40752b-144b-42f2-a4e2-7e6a0a32818e.png) ## Lateral movement * Using the password found we can now read the pgp file * In our target we type `gpg --decrypt credential.pgp` it works we get merlin credentials and can laterally move to this user using `su merlin`\ ![image](https://user-images.githubusercontent.com/96747355/177224932-e40c5e18-005f-40a8-a354-e06af3098a43.png) ## Privesc * If we `sudo -l` with our new user here is what we get\ ![image](https://user-images.githubusercontent.com/96747355/177225087-baa37e47-33bb-4359-a197-49b7978226fc.png) * Let's checkout [gtfobins](https://gtfobins.github.io/gtfobins/zip/) * Using the commande provided we get root and can get our flag\ ![image](https://user-images.githubusercontent.com/96747355/177225348-3f765593-7812-43a1-b279-3f4d18149d4d.png) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://csbygb.gitbook.io/pentips/writeups/thmwriteups/thm-tomghost.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.