Ghostcat

>sudo nmap 10.10.139.64 -sT -sC -A -Pn -T4

Port 22, 8009, 8080 are open

The name of the lab tipped off what exploit to look for.

Ghostcat attacks the apache Jserv protocol on port 8009 for versions before 9.0.30

Firing off the exploit from metasploit dumped the .xml config file for apache which had some ssh creds in it.

Used the creds to ssh in and got a user.txt flag in merlin's directory, however I was user Skyfuck so I imagine I needed to escalate privs to merlin and then root.

In skyfuck's home directory, there is a credential.gpg and a tryhackme.asc.

I needed to use johntheripper to try and crack the gpg file but needed a password to attempt to crack. Used gpg2john on tryhackme.asc to try to get a password

First moved the files to my machine with scp

>scp [email protected]:/home/skyfuck/tryhackme.asc ./tryhackme.asc

>gpg2john tryhackme.asc > hash

Got a password hash

>john --wordlist=/rockyou.txt hash

Got a password alexandru

Now to decrypt to gpg file.

>import import tryhackme.asc

>gpg -d credential.pgp

Entered password alexandru

Got a user and pass for user merlin

>su merlin : <longasspassword>

>sudo -l

I have access to /usr/bin/zip as sudo no passwd

GTFObins shows a priv escalation technique for sudo zip

Easy root. nice