![THM-Header](https://muirlandoracle.co.uk/wp-content/uploads/2020/01/THM-Header.png)
Tomghost — Write-up
TryHackMe Challenge Link: https://tryhackme.com/room/tomghost
Tomghost is an interesting CTF from Stuxnet; it has rather an unusual section after gaining RCE, which makes for a nice break from standard CTF challenges. In this room we’ll be exploiting a vulnerability in Ghostcat and exploring ASCII armour protected PGP encryption keys, followed by a nice easy privilege escalation up to root.
Let’s begin!
Enumeration:
We begin, as always, with enumeration of the machine. Let’s start with an nmap scan:
nmap -sV -p- -vv <machine-ip>
![nmap scan revealing open ports 22, 53, 8009 and 8080](https://muirlandoracle.co.uk/wp-content/uploads/2020/04/1.png)
Great, so, we have a few ports open here. Port 22 is running SSH, as per standard. We’ve also got Apache Tomcat on Port 8080, with Jserv on 8009. Apache Jserv is used to essentially proxy web requests through to an application running in the back-end of the server. Tomcat and AJP are often run together — and luckily for us, there are a few juicy exploits for the combination that might work for us, so let’s start here.
Ghostcat Exploitation:
Searching exploit-db, we can see that there are two exploits for AJP:
AjPortal2Php doesn’t really fit here, but… the new Ghostcat vulnerability looks like it fits the bill!
Let’s take a look:
![The help menu for the exploit-db ghostcat exploit](https://muirlandoracle.co.uk/wp-content/uploads/2020/04/3.png)
All we need is a target — let’s plug our machine IP in and see what happens!
![Got a username and password from the ghostcat vulnerability](https://muirlandoracle.co.uk/wp-content/uploads/2020/04/4.png)
Could those possibly be creds?
Well, that was easy!
Throw ’em into SSH and we can move on.
![Used the found credentials to SSH into the machine](https://muirlandoracle.co.uk/wp-content/uploads/2020/04/5.png)
Lateral Privilege Escalation:
Looking in our current directory, it appears that we have an encrypted pgp (pretty good privacy) file (credential.pgp
), along with some ASCII armour (tryhackme.asc
).
Well, first things first, let’s try importing the ASCII armour as a key:
![Using the gpg program to import the ASCII armour as a secret key](https://muirlandoracle.co.uk/wp-content/uploads/2020/04/6.png)
Great — we should now be able to decrypt the credentials!
![Turns out that a password is required in order to use the key we imported](https://muirlandoracle.co.uk/wp-content/uploads/2020/04/7.png)
Damn. No such luck. Looks like we’re going to be bruteforcing this key then. Download the asc
file to your own Kali machine, then we’ll convert it with a tool called gpg2john
:
![Downloading the armour from the server and converting it into a hash with gpg2john](https://muirlandoracle.co.uk/wp-content/uploads/2020/04/8-1024x87.png)
locate gpg2john
to see if the program is located elsewhere on your machine)Perfect — we’re now free to throw this into John-the-Ripper with the rockyou wordlist and see what comes up!
john --format=gpg --wordlist=/usr/share/wordlists/rockyou.txt <hash-location>
![Cracking the gpg hash with JTR](https://muirlandoracle.co.uk/wp-content/uploads/2020/04/9-1024x142.png)
Success! We have a password. Let’s switch back into the target machine and try this again:
![Successfully decrypted the key using the password obtained with JTR](https://muirlandoracle.co.uk/wp-content/uploads/2020/04/10.png)
Huh, looks like creds to another account. Let’s switch over and see if we can’t finally grab the user flag!
![Output of the switch user and catting the flag](https://muirlandoracle.co.uk/wp-content/uploads/2020/04/11.png)
Root Privilege Escalation:
Now that we have the user flag, let’s aim for root!
The first thing to check is: do we have any sudo
privileges? Use sudo -l
to check:
Why on Earth anyone would need sudo permissions to run zip
is beyond me, but hey, since there’s a GTFO on it, might as well make use of it!
![GTFobins entry for local privilege escalation using sudo and zip](https://muirlandoracle.co.uk/wp-content/uploads/2020/04/13.png)
Well, we have our exploit — let’s use it!
![Using the exploit to upgrade our privileges to root](https://muirlandoracle.co.uk/wp-content/uploads/2020/04/14.png)
Just for the hell of it I’m going to upgrade this shell, then let’s go for that root flag.
![Upgrading our shell, and grabbing the root flag](https://muirlandoracle.co.uk/wp-content/uploads/2020/04/15.png)
And there we have it — the root flag for Tomghost.