cybersec-k

View on GitHub

tomghost

Identify recent vulnerabilities to try exploit the system or read files that you should not have access to.

Scan the machine.

If you are unsure how to tackle this, I recommend checking out the Nmap Tutorials by Hack Hunt.

nmap -sV -Pn <IP>

Nmap Scan

Looks like we have four ports open: 22, 53, 8009, 8080

Let’s check port 8080 in browser. Nothing much there.

Port 8009 seems interesting. Let’s check for vulnerabilities to exploit via ajp13. Via simple Google Search, I came across GitHub Repo -> Ghostcat-CNVD-2020-10487.

Clone the Repo and run the program on the given IP python3 ajpShooter.py http://<IP>:<PORT> <AJP_PORT> /WEB-INF/web.xml read.

Run Script

BOOM! Got username:password. Let’s connect via SSH.

SSH Connect

We got two file -> credential.pgp and tryhackme.asc. A simple Google Search What can I do with .asc and .pgp file says asc file is used to decrypt pgp. Let’s get this file on our system using scp.

Get Files

So when I tried to import the .asc file. It requires a passpharse. No Worries, JohnTheRipper to RESCUE.

Bruteforce

We convert .asc to Hash format suitable for JohnTheRipper -> gpg2john tryhackme.asc > hash. Then Bruteforce using John and wordlist rockyou.txt

Now try to import the file again with this passpharse.

PGP IMPORT

BAAM!! Merlin’s password. Let’s SSH via merlin.

MERLIN SSH

We have user.txt flag.

HEADSUP! You could have get the user flag via skyfuck’s SSH (at least this is the way I got it).

USER Flag

Check what privileges’ merlin have using sudo -l cmd.

ENUMERATION

Looks like we have access to run zip command. Google Search -> Privilege Escalation via ZIP. GTFObins looks promising. Run those commands.

TF = $(mktemp -u)
sudo zip $TF /etc/host -T -TT 'sh #'

Zip Exploit

We got the ROOT access.

Root Flag