Writeups

tomghost CTF - TryHackMe

Challenge Link

• MACHINE_IP 10.10.195.170

• nmap scan here
• Got the 8009 port open as ajp13 and searched in exploit-db for any exploits
• Found one and got the username and password from it as :

  skyfuck:8730281lkjlkjdqlksalks
  

• In the machine from ssh we found tryhackme.asc and credential.pgp.
• Downloaded into the local machine and used john to crack the tryhackme.asc file with rockyou.txt and password found to be tryhackme:alexandru
• Loaded tryhackme.asc in gpg as gpg --import tryhackme.asc and decrypted the credential.pgp by gpg --decrypt credential.pgp.
• Found merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j and tried switching user in the ssh and VOILA.
• Sucessfullt switched the user and found that this user can run /usr/bin/zip as sudoer and got the exploit from the GTFOBins Zip and escalated the privileges to root.
• Found the root.txt in /root/root.txt

~ ROOM COMPLETED ~

- Learned the use of gpg to encrypt and decrypt the files

- Tip: Look at all the ports and search if the are exploitable