Ghost Tom Box on TryHackMe.com

In Every penetration testing engagement we start with reconnaissance, lets start with using our favorite tool “nmap”

Scanning with Nmap to Check for Vulnerabilities and Open Ports.

Later after digging in I searched for Jserv ghostcat, after that I managed to find an auxiliary module that reads a file.

Using Metasploit to read the file.

I managed to find the password for a User Called sky*** lets login into SSH and check if the credentials are valid.

First we have to convert the gpg to readable text, so we can later crack it successfully.

Cracking the GPG Hash.

Second we import the GPG Hash with gpg in the sky*** user

Decrypting and Acquiring user’s Merlin passowrd.

later we manage to login as the merlin user with the credential found and next, we type sudo -l to see what the user can run on the box.

we can see that /usr/bin/zip can be ran as sudo on merlin box, lets go to gtfoutbins to see the commands needed for root.

Getting root & Wrapping up the Session.

Bingo Root is achieved, until next ones!