TryHackMe "Tomghost" Walkthrough - No Metasploit

Tomghost is a new room at TryHackMe that requires exploitation of the "Ghostcat" vulnerability (CVE-2020-1938) in Apache Tomcat (go figure).  Tomcat includes an AJP connector running on port 8009 which is granted excessive trust, allowing attackers to issue arbitrary commands and actions otherwise not intended for unauthorized users (  Let's get started on defeating this machine.


As usual we kick things off with a basic Nmap scan followed by the -A scan.


nmap -A

As you can see we have SSH running on Port 22, and some web services running on 8009 and 8080.  I naturally went to port 8080 first to see if I could pick up an easy win with some default Tomcat credentials, but was unable.


Apache Tomcat page and access denied

Since we know we can't log in directly, that kills any immediate win utilizing a WAR file.  But we do have this 8009 port running Apache Jserv, and the short name ajp13.  After some trivial searches, I was able to find that ajp revealed results in Searchsploit.
searchsploit ajp


So we have a possible exploit in the results that we can check out.   The exploit is pretty straight forward and only requires us to run it with python prepended to it, and the target IP address.  When we run it we discover some poorly placed user credentials.

Copied exploit to working directory and ran python

We've found some user credentials (and a very inappropriate user name), and we know SSH is running from our previous Nmap scan, so let's see if we are able to log in using those.
ssh skyfuck@

We can successfully log in with the credentials, and see what we are a low privilege user.  If we change to the home directory we will see a user named merlin.  Switching to that directory will find the user.txt flag.
User.txt flag in Merlin directory

 Changing directories again to the base directory, we find that there are two files - credential.pgp and tryhackme.asc, both associated with password keychains.

PGP keychain files

The easiest way to work with these is going to require moving them to our Kali machine.  We can do that by utilizing Secure Copy.  In this case I copied them to my working directory.

scp skyfuck@* .

There is an associated John the Ripper tool for revealing the password hash hidden in the tryhackme.asc file.  We can use that, output the results to a file, and use John to crack the password.
gpg2john tryhackme.asc (I later output the results to a file named "tocrack")

 john tocrack --format=gpg --wordlist=/root/Desktop/passes/rockyou.txt

In a matter of a few seconds we were successfully able to crack the hash and grab a password.  The next part hung me up for a while as I have little experience with password keyrings.  We need to move back to our target machine and import the tryhackme.asc file into gpg.  We do that like this:
gpg --import tryhackme.asc

Now that we have imported the .asc file, we can attempt to decrypt the credential.pgp file using the password we cracked by running the following:
gpg --decrypt credential.pgp

If everything was done correctly to this point you should see a very long password revealed for the merlin user.  Let's log in with him now using su, and check the sudo privileges the user has.

su merlin; sudo -l

Merlin has one single permission, /usr/bin/zip.  A search of GTFObins shows that there is a privilege escalation exploit we can utilize to elevate our privileges to root.
GTFObins results for Zip

All we need to do now is simply copy and paste the above command into the terminal and we should get a new command line as root.
Elevated privileges to root user

 And finally we simply change directory to the /root folder, cat the root.txt flag, and grab our prize.

Final Thoughts

This was a neat exploit to get my hands on and test out, and there are multiple ways to do it, including an exploit available on Github.  I was pulling my hair out for a while trying to sort out how to get GPG to work, and after some research discovered that I needed to import the .asc file in order to unlock the key.  All in all, this was a neat box.  I do hope that TryHackMe tries to filter their machines a bit better for user names like the one unnecessarily utilized in this challenge, but all in all it was a good experience.  I hope this guide has helped you learn something new today, and I'll see you again soon!


Popular Posts