Sws101_tomghost

Topic : - TryHackMe Walkthrough

Introduction:

As this journal I will be recording the tasks that I undertook and my encounters during the completion of TomGhost Room CTF on TryHackMe. The purpose of this room is to discover new found loophole and not just try to penetrate the system, read document that should only be accessed by a certain authority.

Tools Used:

• Nmap
• AjpShooter
• John the Ripper

Walkthrough:

• Reconnaissance:

I first started anytime by performing an Nmap scan on the target system. Several services were discovered such as Tomcat service that was running on TCP port number 8080. After this, I managed to login the Tomcat web interface and, upon doing so, I noticed that the /manager path was locked down and could only be accessed locally.

This was followed by other researched that indicated a possible weakness on the Tomcat 9. 0. 3, identified as CVE-2020-1938. I discovered one tool referred to as ajpShooter which is an exploitation script. pplicants or malware py that could potentially exploit this vulnerability.

• Exploitation:

I downloaded the ajpShooter. and edited the corresponding py script and ran it against the real system. The script successfully retrieved a username and password combination: Picture on Stars : 8730281lkjlkjdqlksalks With these credentials, I tried to login through the administrator console and this allowed me to login through ssh as the user ‘skyfuck’.

While traversing through the user directory I came across an encrypted file and the matching PGP key. I first tried to enter the password I know and opened the anonymous file to decode but it did not work. I then used John the Ripper to fully crack the password of the PGP key which was successfully guessed to be ‘alexandru’. With the decrypted file, I obtained another set of credentials: merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kjdkj123j.I also came across the first flag in the home directory as follows: username@ip_address:~/merlin $ cat user. txt

• Privilege Escalation:

When reconnecting to the server and entering the shell session with the account “merlin”, it was found that this account had sudo access and allowed executing the “zip” command as root. In light of the information gleaned from GTFOBins, I managed to devise a privilege escalation exploit specifically using the ‘zip’ command. I was finally able to get a root shell of the system through the execution of the exploit. Last but not the least, having searched for the root flag, eventually, I got the root flag located in root folder named as root. txt.

Conclusion:

The TomGhost Room CTF maintained a very high quality and allowed participants to gain tangible knowledge and skills in the identification of vulnerabilities, their exploitation, as well as techniques of escalation of privileges. In order to make an analysis of some of the attacks, it is possible to use openly available tools and exploits like ajpShooter. Due to these findings, I got the usernames and password of parties of interest such as Miles py and John the Ripper to be able to access the system and gain super user access with the goal of retrieving secretive details.

It reminded me; the need for continuing to update the system with security patches and the implication of getting the default configuration and unpatched vulnerability.

All in all, I was able to put my gained knowledge into practice while participating in the TomGhost Room CTF and the final task This further expanded the knowledge of the hacking methodology. This highlights the ever-present threat and the fact that individuals and organizations must be wary and apply preventive strategies to such undertakings.