CVE-2020-1938
This room is basic and is searching for two different flags. A user.txt flag, and a root.txt flag.
Enumerating the box
We have port 22, 53, 8009, and 8080 open.
8080 is showing Apache Tomcat. Lets navigate to the page
Looks like we are using Apache 9.0.30
From here we are going to launch Metasploit and search for Apache, tomcat, and Jserv (from port 8009)
Looks like our Jserv option has a great aux module
Lets set the options and run
Our response seems to give us a username and password!
Testing those credentials against ssh and we are in the user account!
we have two files listed.
- credential.pgp
- tryhackme.asc
The second file appears to be an ssh key
Searching the box, we come across our first key in a different users profile
Going back to our 2 files, we are going to attempt to run John against the asc file.
Lets pull the file to our local host
and we have our username and password!
We use alexandru for the passphrase and we have merlins password
Running sudo -l we see that /usr/bin/zip is what we want to attack for Privesc
Navigating to gtfo bins, we come across this https://gtfobins.github.io/gtfobins/zip/
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT ‘sh #’
sudo rm $TF
Running this option gives us root!
Searching the root directory, we find root.txt!
