TryHackMe tomghost CTF WriteUp
đź“Ś Hello Cybersecurity Enthusiasts
I am continuing with TryHackMe WriteUps. These write-ups are not just solution shares but also a source of encouragement for those at the beginning of their cybersecurity journey. Every step is a milestone in the endless journey of knowledge.
• 🗂️ Room Name: tomghost (CTF)
• 📜 Description: Identify recent vulnerabilities to try exploit the system or read files that you should not have access to.
• 🔗 Room URL: https://tryhackme.com/r/room/tomghost
• ⚡ Difficulty Level: Easy
• 🏹 Included in Paths: -
• 🔍 Specifically Tools Mentioned in Room: -
• 🛠️ Types of Tools Used in Room: Network Scanning Tools, Penetration Testing Tools, Password Cracking Tools, Encoding/Decoding and Hashing Tools, Privilege Escalation Techniques and Tools
• 🛠️ Tools Used in Room: nmap, searchsploit, Metasploit, john, gpg, GTFOBins
• 🎯 Target System: Linux, Web
• 🏳️ Relevant Team: 🔴 Red
Task 1
1.1 Compromise this machine and obtain user.txt?
We have no information about the target system. Therefore, let’s perform a port scan using nmap and start exploring the target system:
nmap -sV 10.10.80.56
The first thing that stands out in the scan results is “tcpwrapped.” Tcpwrapped means that a TCP connection was established with the target system, but the connection was immediately closed without any data exchange. This indicates that a firewall, IPS/IDS, or some other level of security measure is in place. This means we need to keep this in mind for our next actions. Now, let’s perform the same port scan with a Stealth Scan to ensure discretion. Just a reminder: this scan requires root privileges.
sudo nmap -sS -sV 10.10.80.56
Based on this, it seems that there is an SSH service, a DNS service, and two Apache services running on the target. Initial observations we can make:
- Port 22 (SSH): OpenSSH version 7.2p2 is running. This is an outdated version and may potentially contain security vulnerabilities.
- Port 53: A DNS service appears to be running.
- Port 8009 (AJP13): The Apache JServ Protocol is active. This is particularly noteworthy because critical vulnerabilities, such as “Ghostcat” (CVE-2020–1938), may be exploitable through the AJP protocol in Apache Tomcat. This port is usually closed, and its openness poses a security risk.
- Port 8080: Apache Tomcat 9.0.30 web server is running, which is also an older version.
Let’s check for OpenSSH vulnerabilities using Searchsploit:
searchsploit openssh
Here, we found three vulnerabilities for OpenSSH:
- One executed when an authorized user logs in.
- One involving username enumeration.
- One causing a DoS.
However, none of these seem particularly useful for our purposes.
Now, it’s time to roll up our sleeves, enter Metasploit, and investigate ports 8009 and 8080.
msfconsole -qmsf6 > search ghostcat
msf6 > use 0
msf6 > options
msf6 > set rhosts 10.10.80.56
msf6 > exploit
Great! Our exploit has successfully worked. Using the credential skyfuck:8730281lkjlkjdqlksalks highlighted in red, we can establish an SSH connection:
ssh skyfuck@10.10.80.56
Let’s check what’s on the target:
The first file is a credential file encrypted with PGP, and the second is a private key file. We haven’t found a user flag yet, but these are valuable pieces of information. This is because we can likely decrypt them easily using John the Ripper. Let’s give it a try.
To decrypt the credential.pgp file, we’ll first convert the gpg private key into a format compatible with John, then hand over the prepared hash file to John for cracking.
Let’s download these files from the target system to our local system for easier handling:
scp skyfuck@10.10.80.56:/home/skyfuck/credential.pgp .
scp skyfuck@10.10.80.56:/home/skyfuck/tryhackme.asc .Now, let’s begin processing the files on our local system:
gpg2john tryhackme.asc > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Great, we’ve got what we need. Now, let’s go back to the target system and proceed with the decryption process:
gpg --import tryhackme.asc
gpg --decrypt credential.pgpAfter running the commands above, let’s enter the passphrase we found earlier, alexandru, to proceed with the decryption.
We’ve found another credential here. Let’s use the following command to log in as the user who owns the new credential:
su merlin
Everything seems to be going smoothly. Running the id command shows that we are logged in as a normal user. Since there was no flag in the first normal user’s directory, the user flag must be here. Let’s check the user’s home directory and see what files are present.
Great! We’ve successfully found the user flag.
Answer: THM{GhostCat_1s_so_cr4sy}
Task 2
2.1 Escalate privileges and obtain root.txt?
Now, let’s first check if there are any simple privilege escalation methods we can use. We’ll begin by reviewing the commands that are allowed with sudo privileges:
sudo -l
Awesome! This will be really helpful. It’s my favorite because it’s the simplest and most straightforward privilege escalation method. Let’s head over to the gtfobins page and check how we can exploit this.
Everything went smoothly. This was actually much easier than I expected! Now, let’s find the root flag:
We’ve found the correct answer: THM{Z1P_1S_FAKE}!
Additionally, you made a great observation. Initially, we noticed the tcpwrapped label due to some security measure. Now, we’ve discovered that the reason for this is the ufw (Uncomplicated Firewall) in the root directory. That’s a nice catch!
Answer: THM{Z1P_1S_FAKE}
You’re absolutely right! Some CTFs are labeled as “easy” but end up dragging you all over the place like a matryoshka doll, but this one wasn’t like that. It truly provided all the necessary conditions for someone to successfully breach it. We got a firsthand look at what Ghostcat can lead to and how dangerous it can be. It was a good learning experience!
I’ve not only tried to explain what works but also to highlight what doesn’t, providing detailed information to help beginners gain a better perspective. I hope it has been informative enough!
Best regards!
If you enjoyed this article and want to see more content like this, don’t forget to:
• 👏 Clap to show your support,
• 📰 Follow me for upcoming articles on AI security and ethical hacking, and
• 💬 Feel free to share your thoughts or ask about any issues you encountered in the comments — I’d be happy to hear your ideas!
Thank you for being part of this journey, and see you in the next one! 🌟
