TryHackMe - Ghost
Summary
TomGhost is an easy linux machine featuring a vulnerable Apache JServ Protocol 1.3 instance that can be used to read files including the source code. Inside the machine, a privileged zip binary can be used to spawn a root shell.
Link: https://tryhackme.com/room/tomghost
Reconnaissance
There are 4 open ports in the target machine.
22 - SSH
53 - DNS
8009 - Apache JServ Protocol
8080 - Apache Tomcat
I searched for exploits related to AJP and found two (2) interesting exploits. The second one was the exploit I used because I noticed the exploit's name is Ghostcat and the machine's name is TomGhost.
Running the exploit will reveal a credential for skyfuck.
Use the credential to gain access to the machine.
You can grab the content of user.txt in merlin's directory.
Getting Merlin's Creds
Listing the files inside skyfuck's directory will give us a pgp and asc files. Convert the asc to a hash using gpg2john and crack it: gpg2john tryhackme.asc > hash
Import the asc file and decrypt the credential.pgp using the cracked passphrase.
Privilege Escalation
Executing sudo -l reveals that we can use zip binary to gain root shell.
Go to https://gtfobins.github.io/gtfobins/zip/ and follow the commands.
Takeaways
- Always update the software you are using and keep yourself updated.
- Review the permissions of all files, binaries, etc in the system.
Resources
- https://www.exploit-db.com/ (Database for searchsploit)
- https://gtfobins.github.io/gtfobins/zip/ (Zip Priv Esc)
- https://www.openwall.com/john/ (john for passphrase cracking)