[{"data":1,"prerenderedAt":448},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-tomghost-writeup":3,"surround-\u002F2025\u002Ftryhackme-tomghost-writeup":439},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"recommend":14,"draft":6,"readingTime":15,"body":20,"_type":432,"_id":433,"_source":434,"_file":435,"_stem":436,"_extension":437,"_original_dir":438},"\u002F2025\u002Ftryhackme-tomghost-writeup","2025",false,"","TryHackMe - Tomghost","A step-by-step walkthrough for the TryHackMe Tomghost room. This write-up covers exploiting the Ghostcat vulnerability (CVE-2020-1938), cracking a PGP private key with John the Ripper, and escalating privileges to root via a sudo misconfiguration with zip.","2025-08-26T07:21:07.000Z","https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002Fthumbnail.jpg",[13],"CTF",true,{"text":16,"minutes":17,"time":18,"words":19},"2 min read",1.545,92700,309,{"type":21,"children":22,"toc":425},"root",[23,29,45,52,56,60,66,125,179,183,188,192,197,201,222,226,247,251,264,268,272,299,303,307,320,324,328,341,345,351,369,373,394,398,416,421],{"type":24,"tag":25,"props":26,"children":28},"element","pic",{"src":27},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F1.jpg",[],{"type":24,"tag":30,"props":31,"children":32},"p",{},[33,36],{"type":34,"value":35},"text","Target IP: ",{"type":24,"tag":37,"props":38,"children":42},"a",{"href":39,"rel":40},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Ftomghost",[41],"nofollow",[43],{"type":34,"value":44},"10.10.130.231",{"type":24,"tag":46,"props":47,"children":49},"h2",{"id":48},"reconnaissance",[50],{"type":34,"value":51},"Reconnaissance",{"type":24,"tag":25,"props":53,"children":55},{"src":54},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F2.jpg",[],{"type":24,"tag":25,"props":57,"children":59},{"src":58},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F3.jpg",[],{"type":24,"tag":46,"props":61,"children":63},{"id":62},"initial-access",[64],{"type":34,"value":65},"Initial Access",{"type":24,"tag":30,"props":67,"children":68},{},[69,71,81,83,90,92,98,100,107,109,115,117,123],{"type":34,"value":70},"As can be seen, our ",{"type":24,"tag":72,"props":73,"children":78},"code",{"className":74,"id":76,"style":77},[75],"example-info","just-like-this","color: #4DFFBE",[79],{"type":34,"value":80},"Apache Tomcat 9.0.30",{"type":34,"value":82}," service is running. And ",{"type":24,"tag":72,"props":84,"children":87},{"className":85,"id":76,"style":86},[75],"color: #efb11d",[88],{"type":34,"value":89},"Apache Jserv v1.3",{"type":34,"value":91}," is running on port ",{"type":24,"tag":72,"props":93,"children":95},{"className":94},[],[96],{"type":34,"value":97},"8009",{"type":34,"value":99},". When we perform a simple exploit scan via Google, we find the ",{"type":24,"tag":37,"props":101,"children":104},{"href":102,"rel":103},"https:\u002F\u002Fwww.exploit-db.com\u002Fexploits\u002F49039",[41],[105],{"type":34,"value":106},"CVE-2020-1938",{"type":34,"value":108}," exploit for ",{"type":24,"tag":72,"props":110,"children":112},{"className":111},[],[113],{"type":34,"value":114},"Tomcat 9.0.30",{"type":34,"value":116},". We also see that it is available in a Metasploit module. Let's enter our framework using ",{"type":24,"tag":72,"props":118,"children":120},{"className":119},[],[121],{"type":34,"value":122},"msfconsole",{"type":34,"value":124}," and search for the vulnerability.",{"type":24,"tag":126,"props":127,"children":129},"alert",{"type":128},"info",[130,139],{"type":24,"tag":131,"props":132,"children":133},"template",{"v-slot:title":7},[134],{"type":24,"tag":30,"props":135,"children":136},{},[137],{"type":34,"value":138},"What was the problem?",{"type":24,"tag":30,"props":140,"children":141},{},[142,144,151,153,160,162,169,170,177],{"type":34,"value":143},"The main issue stems from the Apache JServ Protocol (AJP) connector being enabled by default and typically configured in an insecure manner on port 8009. [",{"type":24,"tag":37,"props":145,"children":148},{"href":146,"rel":147},"https:\u002F\u002Fwww.blackduck.com\u002Fblog\u002Fghostcat-vulnerability-cve-2020-1938.html",[41],[149],{"type":34,"value":150},"1",{"type":34,"value":152},"] [",{"type":24,"tag":37,"props":154,"children":157},{"href":155,"rel":156},"https:\u002F\u002Fmedium.com\u002F@sushantkamble\u002Fapache-ghostcat-cve-2020-1938-explanation-and-walkthrough-23a9a1ae4a23",[41],[158],{"type":34,"value":159},"2",{"type":34,"value":161},"] Since Tomcat trusts AJP connections more than HTTP connections, an unauthenticated attacker could exploit this trust to send unauthorised requests.[",{"type":24,"tag":37,"props":163,"children":166},{"href":164,"rel":165},"https:\u002F\u002Fwww.cve.org\u002FCVERecord?id=CVE-2020-1938",[41],[167],{"type":34,"value":168},"3",{"type":34,"value":152},{"type":24,"tag":37,"props":171,"children":174},{"href":172,"rel":173},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002Fcve-2020-1938",[41],[175],{"type":34,"value":176},"4",{"type":34,"value":178},"]",{"type":24,"tag":25,"props":180,"children":182},{"src":181},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F4.jpg",[],{"type":24,"tag":30,"props":184,"children":185},{},[186],{"type":34,"value":187},"Now let's make the necessary configurations.",{"type":24,"tag":25,"props":189,"children":191},{"src":190},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F5.jpg",[],{"type":24,"tag":30,"props":193,"children":194},{},[195],{"type":34,"value":196},"Now let's run the exploit.",{"type":24,"tag":25,"props":198,"children":200},{"src":199},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F6.jpg",[],{"type":24,"tag":30,"props":202,"children":203},{},[204,206,212,214,220],{"type":34,"value":205},"From the response, we obtain the pair ",{"type":24,"tag":72,"props":207,"children":209},{"className":208,"id":76,"style":77},[75],[210],{"type":34,"value":211},"skyfuck:8730281lkjlkjdqlksalks",{"type":34,"value":213},". Now let's try to log in using ",{"type":24,"tag":72,"props":215,"children":217},{"className":216},[],[218],{"type":34,"value":219},"ssh",{"type":34,"value":221}," with this information.",{"type":24,"tag":25,"props":223,"children":225},{"src":224},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F7.jpg",[],{"type":24,"tag":30,"props":227,"children":228},{},[229,231,237,239,245],{"type":34,"value":230},"While browsing around, we come across the files ",{"type":24,"tag":72,"props":232,"children":234},{"className":233},[],[235],{"type":34,"value":236},"credential.pgp",{"type":34,"value":238}," and ",{"type":24,"tag":72,"props":240,"children":242},{"className":241},[],[243],{"type":34,"value":244},"tryhackme.asc",{"type":34,"value":246},".",{"type":24,"tag":25,"props":248,"children":250},{"src":249},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F8.jpg",[],{"type":24,"tag":30,"props":252,"children":253},{},[254,256,262],{"type":34,"value":255},"We have one encrypted file and the key to open it. Now let's import the key with ",{"type":24,"tag":72,"props":257,"children":259},{"className":258},[],[260],{"type":34,"value":261},"gpg --import tryhackme.asc",{"type":34,"value":263}," and then open the file.",{"type":24,"tag":25,"props":265,"children":267},{"src":266},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F9.jpg",[],{"type":24,"tag":25,"props":269,"children":271},{"src":270},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F10.jpg",[],{"type":24,"tag":30,"props":273,"children":274},{},[275,277,282,284,290,292,298],{"type":34,"value":276},"As you can see, the key is encrypted. We can find the password using brute force.\nFirst, copy the contents of ",{"type":24,"tag":72,"props":278,"children":280},{"className":279},[],[281],{"type":34,"value":244},{"type":34,"value":283}," to your device. Then convert it to a language that john can understand using ",{"type":24,"tag":72,"props":285,"children":287},{"className":286},[],[288],{"type":34,"value":289},"gpg2john",{"type":34,"value":291},". Then break it with ",{"type":24,"tag":72,"props":293,"children":295},{"className":294},[],[296],{"type":34,"value":297},"john",{"type":34,"value":246},{"type":24,"tag":25,"props":300,"children":302},{"src":301},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F11.jpg",[],{"type":24,"tag":25,"props":304,"children":306},{"src":305},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F12.jpg",[],{"type":24,"tag":30,"props":308,"children":309},{},[310,312,318],{"type":34,"value":311},"Now let's open the encrypted file using the ",{"type":24,"tag":72,"props":313,"children":315},{"className":314,"id":76,"style":77},[75],[316],{"type":34,"value":317},"alexandru",{"type":34,"value":319}," password we found.",{"type":24,"tag":25,"props":321,"children":323},{"src":322},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F13.jpg",[],{"type":24,"tag":25,"props":325,"children":327},{"src":326},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F14.jpg",[],{"type":24,"tag":30,"props":329,"children":330},{},[331,333,339],{"type":34,"value":332},"And we got the pair ",{"type":24,"tag":72,"props":334,"children":336},{"className":335,"id":76,"style":77},[75],[337],{"type":34,"value":338},"merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j",{"type":34,"value":340},". Now let's connect to ssh as merlin.",{"type":24,"tag":25,"props":342,"children":344},{"src":343},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F15.jpg",[],{"type":24,"tag":46,"props":346,"children":348},{"id":347},"privilege-escalation",[349],{"type":34,"value":350},"Privilege Escalation",{"type":24,"tag":30,"props":352,"children":353},{},[354,356,367],{"type":34,"value":355},"Now, let's run the ",{"type":24,"tag":37,"props":357,"children":360},{"href":358,"rel":359},"https:\u002F\u002Fgithub.com\u002Fpeass-ng\u002FPEASS-ng\u002Ftree\u002Fmaster\u002FlinPEAS",[41],[361],{"type":24,"tag":72,"props":362,"children":364},{"className":363},[],[365],{"type":34,"value":366},"linpeas.sh",{"type":34,"value":368}," script on the target device to elevate privileges. (I placed the script on my Apache server and downloaded it to the target device.)",{"type":24,"tag":25,"props":370,"children":372},{"src":371},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F16.jpg",[],{"type":24,"tag":30,"props":374,"children":375},{},[376,378,384,386,392],{"type":34,"value":377},"We observed that the user ",{"type":24,"tag":72,"props":379,"children":381},{"className":380,"id":76,"style":77},[75],[382],{"type":34,"value":383},"merlin",{"type":34,"value":385}," was able to run the ",{"type":24,"tag":72,"props":387,"children":389},{"className":388,"id":76,"style":86},[75],[390],{"type":34,"value":391},"\u002Fust\u002Fbin\u002Fzip",{"type":34,"value":393}," binary with sudo privileges without entering a password.",{"type":24,"tag":25,"props":395,"children":397},{"src":396},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F17.jpg",[],{"type":24,"tag":30,"props":399,"children":400},{},[401,403,414],{"type":34,"value":402},"So, we can become root by entering a pre-set command. You can access these pre-set commands via ",{"type":24,"tag":37,"props":404,"children":407},{"href":405,"rel":406},"https:\u002F\u002Fgtfobins.github.io\u002Fgtfobins\u002Fzip\u002F",[41],[408],{"type":24,"tag":72,"props":409,"children":411},{"className":410},[],[412],{"type":34,"value":413},"GTFObins",{"type":34,"value":415}," (In our case, we will look at the one for sudo. Because our vulnerability is in a problem with the sudo configuration.). Now let's elevate our privileges.",{"type":24,"tag":417,"props":418,"children":420},"copy",{"code":419},"TF=$(mktemp -u)\nsudo zip $TF \u002Fetc\u002Fhosts -T -TT 'sh #'\nsudo rm $TF",[],{"type":24,"tag":25,"props":422,"children":424},{"src":423},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-tomghost-writeup\u002F18.jpg",[],{"title":7,"searchDepth":426,"depth":426,"links":427},4,[428,430,431],{"id":48,"depth":429,"text":51},2,{"id":62,"depth":429,"text":65},{"id":347,"depth":429,"text":350},"markdown","content:posts:2025:tryhackme-tomghost-writeup.md","content","posts\u002F2025\u002Ftryhackme-tomghost-writeup.md","posts\u002F2025\u002Ftryhackme-tomghost-writeup","md","\u002Fposts",[440,444],{"_path":441,"title":442,"date":443},"\u002F2025\u002Ftryhackme-ignite-writeup","TryHackMe - Ignite","2025-08-25T14:27:41.000Z",{"_path":445,"title":446,"date":447},"\u002F2025\u002Ftryhackme-bruteit-writeup","TryHackMe - Brute It","2025-08-26T13:49:07.000Z",1777022958201]