TryHackMe - tomghost (Easy)


Using Ghostcat, we get a credential that helps us get a low-level user shell through SSH. In the home directory, we find a PGP-encrypted credential file and a PGP private key. Here we crack the PGP password using John and get a credential that belongs to a user with slightly higher privilege.
In the privilege escalation phase, sudo -l shows that we are able to run /usr/bin/zip as root. We easily get a root shell using a privesc payload from GTFOBins.


  • RHOST:
  • LHOST:




The box name "tomghost" refers to "Ghostcat" discovered by Chaitin:

User Shell: Ghostcat

Search the keyword "ghostcat" in Metasploit:
Run this exploit module and get a credential:
The credential is skyfuck:8730281lkjlkjdqlksalks. SSH in to get a user shell:
User shell

Lateral Movement: GPG Password Cracking

There are two files in the home directory:
Home directory
Download these files to our attack machine using SCP:
scp [email protected]:\{credential.pgp,tryhackme.asc\} .
# password = 8730281lkjlkjdqlksalks
The idea is to import the PGP private key tryhackme.asc and then decrypt the encrypted PGP message credential.pgp. However, if we try importing the PGP private key, it asks for a password:
Password required
We want to crack the password using John. Reformat the private key:
gpg2john tryhackme.asc > hash.txt
Crack it:
john hash.txt -w=/usr/share/wordlists/rockyou.txt
The password is alexandru:
Import tryhackme.asc and decrypt credential.pgp:
Here we get a credential merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j. SSH in as Merlin:

Privilege Escalation: Sudo zip

sudo -l:
sudo -l
Grab a privesc payload from GTFOBins:
Follow the instruction and spawn a root shell:
root shell