Reconnaissance
To begin our penetration testing, we’ll conduct an Nmap scan to identify open ports and services running on the target machine.
Exploiting Tomcat
After identifying the Tomcat version, let’s see if it’s vulnerable. After looking for any known exploits we stumble upon a CVE (Common Vulnerabilities and Exposures) detailing a file read/inclusion vulnerability.
Running a script found on github, we find some credentials hidden in the WEB-INF/web.xml file.
Trying these creds using SSH, we got ourselves a shell.
In the files of the home directory, we find an encrypted pgp file and its private key.
Decrypting PGP Files
To crack it, we’ll utilize the “gpg2john” tool to create a hash of the PGP private key.
Then we’ll use John the Ripper to crack the passphrase.
Upon obtaining the passphrase, we successfully decrypted the PGP file, revealing additional credentials.
Using the newly discovered credentials, we’ll establish another SSH connection to the target machine as merlin. Here we find the “user.txt” flag.
Privilege Escalation
To further elevate our privileges, we’ll look for any privileged commands we can run by running “sudo -l”. To our delight, we find that the “zip” command can be executed with root privileges.
We can exploit this by leveraging a technique documented on “GTFOBins,” a resource for privilege escalation techniques. Using the code provided by them, we can now run commands as root.
Traversing to the root directory, we find the “root.txt” flag and complete the TryHackMe room!
No responses yet