✅TryHackMe - tomghost (Easy)

Summary

Using Ghostcat, we get a credential that helps us get a low-level user shell through SSH. In the home directory, we find a PGP-encrypted credential file and a PGP private key. Here we crack the PGP password using John and get a credential that belongs to a user with slightly higher privilege.

In the privilege escalation phase, sudo -l shows that we are able to run /usr/bin/zip as root. We easily get a root shell using a privesc payload from GTFOBins.

IP

RHOST: 10.10.65.87
LHOST: 10.13.12.2

Nmap

Ghostcat

The box name "tomghost" refers to "Ghostcat" discovered by Chaitin:

https://www.chaitin.cn/en/ghostcat

User Shell: Ghostcat

Search the keyword "ghostcat" in Metasploit:

Run this exploit module and get a credential:

The credential is skyfuck:8730281lkjlkjdqlksalks. SSH in to get a user shell:

Lateral Movement: GPG Password Cracking

There are two files in the home directory:

Download these files to our attack machine using SCP:

scp skyfuck@tomghost.thm:\{credential.pgp,tryhackme.asc\} .
# password = 8730281lkjlkjdqlksalks

The idea is to import the PGP private key tryhackme.asc and then decrypt the encrypted PGP message credential.pgp. However, if we try importing the PGP private key, it asks for a password:

We want to crack the password using John. Reformat the private key:

gpg2john tryhackme.asc > hash.txt

Crack it:

john hash.txt -w=/usr/share/wordlists/rockyou.txt

The password is alexandru:

Import tryhackme.asc and decrypt credential.pgp:

Here we get a credential merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j. SSH in as Merlin:

Privilege Escalation: Sudo `zip`

sudo -l:

Grab a privesc payload from GTFOBins:

Follow the instruction and spawn a root shell:

PreviousTryHackMe - Anonymous (Medium)NextTryHackMe - ConvertMyVideo (Medium)

Last updated 1 year ago