TryHackMe-TomGhost Writeup(CVE 2020–1938)

This room covers a latest Tomcat Exploit called Ghostcat (CVE 2020–1938).We decrypt PGP and ASC keys and privilege escalate through ZIP.

ENUMERATION

Port 22,53,8009 and 8080 are open.On port 8080 we find apache Tomcat's default page.Now from here we generally should had tried going to Manager App and Uploading a Malicious WAR file which would lead to Remote Code Execution.Just like we do in Wordpress or Jenkins.However we dont have the permission to do so here.

We can see The version as 9.0.30 also on port 8009 a service called apache jserv protocol v1.3 is running.If we Google, This leads us to a recently found exploit called Ghostcat.

https://www.exploit-db.com/exploits/48143

If the AJP port is exposed, Tomcat might be susceptible to the Ghostcat vulnerability.Ghostcat is a LFI vulnerability, but somewhat restricted: only files from a certain path can be pulled. Still, this can include files like WEB-INF/web.xml which can leak important information like credentials for the Tomcat interface, depending on the server setup.

For More Information Refer

we run the exploit and it gives us an output which looks like a username and password.Since we don’t have a login page, lets SSH into the user and indeed it works.

We run ls command and find two files namely- credentials.pgp and tryhackme.asc .Moreover if you cat the bash_history, we see that the user was trying to download both the files.The PGP file seems encrypted.Lets transfer both in our machine(kali) and try decrypting it.

We use SCP to transfer files to our system.You could alsy try it using SimpleHttpServer of python.

CRACKING PGP & ASC

Now its time to deal with both the files.I was not aware of ASC and PGP either so do google more about it and google how to crack/decrypt PGP file.We come across some youtube videos which shows that it can be done using john and we also come across this blog which shows that it can be done using gpg2john.Basically in order to read a PGP file, we need a password.This password is located in the ASC file.And we can crack the ASC file using gpg2john and on the output we run john normally to crack the password.

As it can be seen above, we save the output in a file called ”output” and then crack the password using rockyou.txt.The password we get is: alexandru

Now we have to import the ASC file using the following command.When it asks for a password, we enter alexandru

Finally we decrypt the GPG file and run the command below.After which it asks for password and we enter alexandru again.

And we get a username: merlin and a long password.Lets SSH again as this new user called merlin

PRIVILEGE ESCALATION

Running sudo -l shows us all commands we can run as root user.We find that we can run zip as root user.Lets go to gtfo bins and search-zip and since we have sudo permissions on zip therefore we go with the sudo option of zip

Running the commands gives us Root ! I hope you learned something from this article and came across a latest CVE called Ghostcat which many pentesters are finding in real world pentests as well.Make sure to follow me here on Medium for more such ctf writeups and articles -ZEUS

Love podcasts or audiobooks? Learn on the go with our new app.