arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
TryHackMe - Ghost
2 min read

TryHackMe - Ghost

TryHackMe - Ghost

Summary

TomGhost is an easy linux machine featuring a vulnerable Apache JServ Protocol 1.3 instance that can be used to read files including the source code. Inside the machine, a privileged zip binary can be used to spawn a root shell.

Link: https://tryhackme.com/room/tomghost

Reconnaissance

NMAP Result

There are 4 open ports in the target machine.

22 - SSH
53 - DNS
8009 - Apache JServ Protocol
8080 - Apache Tomcat

I searched for exploits related to AJP and found two (2) interesting exploits. The second one was the exploit I used because I noticed the exploit's name is Ghostcat and the machine's name is TomGhost.

Searchsploit Result

Running the exploit will reveal a credential for skyfuck.

Content of WEB-INF/web.xml

Use the credential to gain access to the machine.

Authenticated in the machine

You can grab the content of user.txt in merlin's directory.

Getting Merlin's Creds

Files and Directories inside skyfuck's home

Listing the files inside skyfuck's directory will give us a pgp and asc files. Convert the asc to a hash using gpg2john and crack it: gpg2john tryhackme.asc > hash

Passphrase cracked!

Import the asc file and decrypt the credential.pgp using the cracked passphrase.

Merlin's Creds Found

Privilege Escalation

Executing sudo -l reveals that we can use zip binary to gain root shell.

Go to https://gtfobins.github.io/gtfobins/zip/ and follow the commands.

Takeaways

  • Always update the software you are using and keep yourself updated.
  • Review the permissions of all files, binaries, etc in the system.

Resources