Identify recent vulnerabilities to try exploit the system or read files that you should not have access to.
Looks like we have SSH a tcpwrapped, apache Jserv version 1.3 and a web server on 8080. We're runing linux version 2.13.
Hitting that web server brings us to an install screen for Apache Tomcat 9.0.30. Doing a gobuster we only see the usual tomcat stuff and we're unable to access the /manager folder as we need to edit the Host Manager's context.xml file to change that.
Looking into this we see that there's a known vulnerability in Jserv located here. There's also a site (https://book.hacktricks.xyz/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp) that will give us some steps to try too.
The exploit needs a bit of work as it's an older bug and the script needs some tweaking for python3. First off 'bufsize' has been changed to 'buffering' Then we also need to fix the join method by adding a 'b' in front of the quotes. Once we make those changes we can run the script pretty much out of the box
Looks like a username and a password!
Looks like we have some stuff to elevate but let's not get too far ahead of ourselves. Let's get that user flag.
user.txt is THM{GhostCat_1s_so_cr4sy}
We jump back to skyfuck's profile and import that asc file. Trying to decrypt the file, we need a passphrase. I had to look at the writeup, which made me sad 'cause I should have known how to do all this.
So we copy this over to my local machine with scp
scp skyfuck@10.10.144.246:/home/skyfuck* .then convert it using
john2gpg tryhackme.asc > hash.txtusing john we crack the password
john --wordlists=/usr/share/wordlists/rockyou.txt hash.txt
we can now decrypt that
Looks like another hash but this time for merlin's account. Well, it turns out, that's not a hash but an actual password. We were able to do an su and use it to get into merlin's account. Merlin is able to sudo zip so we check out gtfobins and exploit that to get root and see the flag.
The root.txt file is THM{Z1P_1S_FAKE}