✅
TryHackMe - tomghost (Easy)
Using Ghostcat, we get a credential that helps us get a low-level user shell through SSH. In the home directory, we find a PGP-encrypted credential file and a PGP private key. Here we crack the PGP password using John and get a credential that belongs to a user with slightly higher privilege.
In the privilege escalation phase,
sudo -l shows that we are able to run /usr/bin/zip as root. We easily get a root shell using a privesc payload from GTFOBins.- RHOST: 10.10.65.87
- LHOST: 10.13.12.2
Nmap
The box name "tomghost" refers to "Ghostcat" discovered by Chaitin:
Search the keyword "ghostcat" in Metasploit:
search
Run this exploit module and get a credential:
Ghostcat
The credential is
skyfuck:8730281lkjlkjdqlksalks. SSH in to get a user shell:
User shell
There are two files in the home directory:
Home directory
Download these files to our attack machine using SCP:
scp [email protected]:\{credential.pgp,tryhackme.asc\} .
# password = 8730281lkjlkjdqlksalks
The idea is to import the PGP private key
tryhackme.asc and then decrypt the encrypted PGP message credential.pgp. However, if we try importing the PGP private key, it asks for a password:
Password required
We want to crack the password using John. Reformat the private key:
gpg2john tryhackme.asc > hash.txt
Crack it:
john hash.txt -w=/usr/share/wordlists/rockyou.txt
The password is
alexandru:
alexandru
Import
tryhackme.asc and decrypt credential.pgp:
Decrypted
Here we get a credential
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j. SSH in as Merlin:
Merlin
sudo -l:
sudo -l
Grab a privesc payload from GTFOBins:
GTFOBins
Follow the instruction and spawn a root shell:
root shell
Last modified 3mo ago