✅TryHackMe - tomghost (Easy)

Summary

Using Ghostcat, we get a credential that helps us get a low-level user shell through SSH. In the home directory, we find a PGP-encrypted credential file and a PGP private key. Here we crack the PGP password using John and get a credential that belongs to a user with slightly higher privilege.

In the privilege escalation phase, sudo -l shows that we are able to run /usr/bin/zip as root. We easily get a root shell using a privesc payload from GTFOBins.

IP

• RHOST: 10.10.65.87

• LHOST: 10.13.12.2

Nmap

Nmap

Ghostcat

The box name "tomghost" refers to "Ghostcat" discovered by Chaitin:

https://www.chaitin.cn/en/ghostcat

User Shell: Ghostcat

Search the keyword "ghostcat" in Metasploit:

search

Run this exploit module and get a credential:

Ghostcat

The credential is skyfuck:8730281lkjlkjdqlksalks. SSH in to get a user shell:

User shell

Lateral Movement: GPG Password Cracking

There are two files in the home directory:

Home directory

Download these files to our attack machine using SCP:

scp skyfuck@tomghost.thm:\{credential.pgp,tryhackme.asc\} .
# password = 8730281lkjlkjdqlksalks

The idea is to import the PGP private key tryhackme.asc and then decrypt the encrypted PGP message credential.pgp. However, if we try importing the PGP private key, it asks for a password:

Password required

We want to crack the password using John. Reformat the private key:

gpg2john tryhackme.asc > hash.txt

Crack it:

john hash.txt -w=/usr/share/wordlists/rockyou.txt

The password is alexandru:

alexandru

Import tryhackme.asc and decrypt credential.pgp:

Decrypted

Here we get a credential merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j. SSH in as Merlin:

Merlin

Privilege Escalation: Sudo zip

sudo -l:

sudo -l

Grab a privesc payload from GTFOBins:

GTFOBins

Follow the instruction and spawn a root shell:

root shell