TryHackMe - tomghost (Easy)
{"author" : ["ret2basic"]}

Summary

Using Ghostcat, we get a credential that helps us get a low-level user shell through SSH. In the home directory, we find a PGP-encrypted credential file and a PGP private key. Here we crack the PGP password using John and get a credential that belongs to a user with slightly higher privilege.
In the privilege escalation phase, sudo -l shows that we are able to run /usr/bin/zip as root. We easily get a root shell using a privesc payload from GTFOBins.

IP

    RHOST: 10.10.65.87
    LHOST: 10.13.12.2

Nmap

Nmap

Ghostcat

The box name "tomghost" refers to "Ghostcat" discovered by Chaitin:

User Shell: Ghostcat

Search the keyword "ghostcat" in Metasploit:
search
Run this exploit module and get a credential:
Ghostcat
The credential is skyfuck:8730281lkjlkjdqlksalks. SSH in to get a user shell:
User shell

Lateral Movement: GPG Password Cracking

There are two files in the home directory:
Home directory
Download these files to our attack machine using SCP:
1
scp [email protected]:\{credential.pgp,tryhackme.asc\} .
2
# password = 8730281lkjlkjdqlksalks
Copied!
The idea is to import the PGP private key tryhackme.asc and then decrypt the encrypted PGP message credential.pgp. However, if we try importing the PGP private key, it asks for a password:
Password required
We want to crack the password using John. Reformat the private key:
1
gpg2john tryhackme.asc > hash.txt
Copied!
Crack it:
1
john hash.txt -w=/usr/share/wordlists/rockyou.txt
Copied!
The password is alexandru:
alexandru
Import tryhackme.asc and decrypt credential.pgp:
Decrypted
Here we get a credential merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j. SSH in as Merlin:
Merlin

Privilege Escalation: Sudo zip

sudo -l:
sudo -l
Grab a privesc payload from GTFOBins:
GTFOBins
Follow the instruction and spawn a root shell:
root shell
Last modified 2mo ago