✅TryHackMe - tomghost (Easy)
Summary
Using Ghostcat, we get a credential that helps us get a low-level user shell through SSH. In the home directory, we find a PGP-encrypted credential file and a PGP private key. Here we crack the PGP password using John and get a credential that belongs to a user with slightly higher privilege.
In the privilege escalation phase, sudo -l
shows that we are able to run /usr/bin/zip
as root. We easily get a root shell using a privesc payload from GTFOBins.
IP
RHOST: 10.10.65.87
LHOST: 10.13.12.2
Nmap

Ghostcat
The box name "tomghost" refers to "Ghostcat" discovered by Chaitin:
https://www.chaitin.cn/en/ghostcat
User Shell: Ghostcat
Search the keyword "ghostcat" in Metasploit:

Run this exploit module and get a credential:

The credential is skyfuck:8730281lkjlkjdqlksalks
. SSH in to get a user shell:

Lateral Movement: GPG Password Cracking
There are two files in the home directory:

Download these files to our attack machine using SCP:
scp skyfuck@tomghost.thm:\{credential.pgp,tryhackme.asc\} .
# password = 8730281lkjlkjdqlksalks
The idea is to import the PGP private key tryhackme.asc
and then decrypt the encrypted PGP message credential.pgp
. However, if we try importing the PGP private key, it asks for a password:

We want to crack the password using John. Reformat the private key:
gpg2john tryhackme.asc > hash.txt
Crack it:
john hash.txt -w=/usr/share/wordlists/rockyou.txt
The password is alexandru
:

Import tryhackme.asc
and decrypt credential.pgp
:

Here we get a credential merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j
. SSH in as Merlin:

Privilege Escalation: Sudo zip
zip
sudo -l
:

Grab a privesc payload from GTFOBins:

Follow the instruction and spawn a root shell:

Last updated