This is my first writeup on medium and on any machine. Apologies in advance if I made some mistakes…
As you can see in the title, I will try to explain every step so that any beginner do not gets stuck into this machine and get demotivated.
One more thing before we start the machine: There is no shame if you are solving machine with walkthrough. I also do it. Infact, I recommend to read/watch walkthrough even if you solved the machine without walkthrough because you will learn new things :)
I will link some of the definitions to pastes in pastebin because I want to focus here on walkthrough but I also want to make you understand what are we doing. LETS HACK!!!!
Before starting, connect yourself to the THM network with the OpenVPN package they provided you.
sudo openvpn <your pack name>And when it displays `Initialization Sequence Completed`, it means you are connected successfully. Now don’t do anything with this terminal and open other terminal or tab if you are using terminatoror tmux. They basically allow you to open multiple tabs or windows in a single screen. Then start the machine and wait until THM shows you it’s IP. Now let’s begin the main part.
NOTE1: Your machine has a time of 1 hour. Keep adding hours to it or it will be terminated automatically.
NOTE2: Don’t copy IP address in this video. It changes everytime you deploy the machine.
Nmap Scan that I run everytime starting a new target:
sudo nmap -sS -sV -Pn <IP>- -sS → SYN Scan | Details here | More Stealthy and Faster
- -sV → Detecting Version | Important | Helps in finding exploits
- -Pn → No ping scan | Sometimes target blocks ping requests, so don’t ever forget to specify this
I may show you some filtered ports, but you have to focus on open ones. Filtered means nmap can’t get that if the port is opened or closed as the port didn’t respond to the packets it sent. Most probably, a firewall is blocking our packets.
Everytime I see port 80 (for http) or tomcat port open, my mind says me to visit it. Let’s see… (In your browser, search in the format http://<ip>:8080/ instead of <ip>:8080. I have problems with it (sometimes)).
NOTE: Everytime I specify only <ip> here, I mean target IP.
Just a normal apache tomcat webpage, you see. So, we will do nothing on this webpage. Instead, we will find some exploit for this version of apache tomcat.
Just google some webpages with version and you will find something useful. Or, you can also search for exploits on exploit-db. But I will prefer google as you can get better results due to A.I. of google. After going to 3–4 websites and webpages linked to it, I found this: https://www.exploit-db.com/exploits/48143
You won’t get this link if you searched for it with the version of apache tomcat on exploit-db website.
Now, you can either download the exploit and use it or search for it with it’s EDB-ID in searchsploit in the terminal.
After that you can use locate <path provided in searchsploit result> to get the full path of the exploit.
So we only need to specify our target as port set by default is correct. (remember? 8009 was open for ajp, which is linked to tomcat). Let’s exploit.
This is the GhostCat vulnerability in tomcat. THM gave you a hint in the starting of the exam too…
I can’t show credentials here as THM doesn’t allow to do so. By the way, you should explore it yourself :)
Now we have some credentials, let’s try to SSH in the target.
Let’s try some options now to see what we are and what can we do:
So we got two things, credential.pgp and tryhackme.asc . You can see what is pgp and asc here.
We will work with these files and get the password with credential.pgp which will help us further to login into another user. Wait, but why to login with another user if we are already in the machine? It is because as you saw we can’t run sudo commands. The other user maybe allowed to run some commands as sudo. Let’s get further.
To work with them, we want them on our machine because all the tools we need will normally not present on the target and as we can’t run sudo, we can’t install them either. To download files from a machine, run the following command on host (not target):
scp <username>@<ip>:<full path of file> <path where you want to store file on your computer>
I created Tomghost directory manually (mkdir Tomghost).
We know that (or you will know after this :P), to crack pgp, we will need a passphrase, which we will get after cracking asc .
We will use gpg2john script to crack it which is a part of JohnTheRipper suite. It should be already in your path if you are in kali and you can use it by just mentioning gpg2john and giving options. But if not, and you have JohnTheRipper, do the following:
Now write the path you will get instead of just gpg2john . I have it in path (just check by typing gpg2john , no need to go in details. If it is in your path, it will give you usage, else it will throw an error. Then give full path), so I will use it directly.
Any john the ripper scripts convert it to hash in their own format so that it is easier for them to crack later. Lets crack it!
John The Ripper does no magic. It just compares the hash of words given in the wordlist and that of hash which we have to crack, and if it matches, it gives result back.
I already cracked the hash so it is showing me this:
So I had to run it with sudo.
I just ran it with sudo to show you how it looks like. It is not the only way to see your previously cracked hashes. As you can see in the 2nd last line, we can use --show option to display cracked passwords. Use as follows:
john --show <hash file you created>Here hash file we created is hashtocrack.hash.
Now we have the passphrase which can be used to crack pgp file.
Run these commands (explained in picture):
gpg --import tryhackme.ascgpg --decrypt credential.pgp
And BOOM! We got a username and password! Let’s SSH again…
ssh <username>@<ip>Give password you got an you are in.
Let’s see what else can we do…
So, we got that we can run /usr/bin/zip with sudo! Now let me tell you about an amazing website: https://gtfobins.github.io/
You can see what it does, in the picture. Basically it will give you some commands that you can run in the shell so that you can get root privileges. As normal, use hotkeys Ctrl+F to find anything on the webpage. In this case, we can run zip with sudo , so let’s search for it…
Found what I needed. Let’s click on it.
It will give you three commands. Execute them one by one and then you will be the root!
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TFNot only in this case, if you have permission to run some file with sudo, search for it on this website. You may find something useful…
One more thing you can do is run bash command to make shell as cool as before :)
Or in the second command, you can do 'bash #' instead of 'sh #'
As you are root user now, you can go in the /root/ directory and get the root.txt flag.
Or one more tip. To find anything, you can use locate.
But it may not work sometimes. So, the best option is find (which does recursive search).
find / -type f -name root.txt 2>/dev/nullThis will find the file in / directory. File type is f (regular file) and the name of the file is root.txt.
Specifying 2>/dev/null will filter out the errors so that they will not be output to your console. In more detail: 2 represents the error descriptor, which is where errors are written to. By default they are printed out on the console. > redirects output to the specified place, in this case /dev/null.
/dev/null— In some operating systems, the null device is a device file that discards all data written to it but reports that the write operation succeeded.
You can see the manual of find by running man find to see all the options available.
One Machine More in Pwned ones! Happy Hacking!
You can always contact me at @CuriousMe1 at telegram :)
