Introduction
Apache Tomcat is an open-source web server that can deploy and run Java-based web applications. In 2020 a vulnerability dubbed GhostCat was discovered, allowing attackers to read or include files from the host system. In this room, TryHackMe tomghost, your goal is to use the GhostCat exploit to read files, gain user access, decrypt PGP files, and escalate to root privileges.
Information Gathering
As always, we use our trusty Nmap tool to scan the ports to see what services are running on this machine.
It looks like port 8080 is running the vulnerable Apache Tomcat version 9.0.30.
Exploitation
Tomcat version 9.0.30 has a vulnerability with Apache JServ Protocol (AJP). CVE-2020-1938 allows attackers the ability to read and include files on the server because “Tomcat treats AJP connections as having higher trust”.
Somebody already wrote an exploit for this vulnerability. After downloading this, we can run the Python script and point it to the web server.
We can see here that there is something hosted on /asdf. It’s an XML file with metadata included. There is also something in the description that looks like login credentials.
Post Exploitation
Returning to our Nmap scan, we can see that SSH is open on this machine. Let’s see if we can log into the skyfuck account.
Changing the directory to Merlin’s home directory we can find the user.txt flag.
Returning to our home directory, we can see a couple of files called credential.pgp and tryhackme.asc. Using a tool like gpg2john we can convert tryhackme.asc into a format that can be interpreted by johntheripper.
Johntheripper, in combination with the rockyou.txt dictionary file, we can dictionary brute-force the password for the .asc file.
Using gpg import the tryhackme.asc file and enter the password alexandru. It looks like it is an OpenPGP secret key for [email protected]
We can then decrypt the credential.pgp file and see Merlin’s login information.
After logging into Merlin’s account we still do not have access to the root system. However, after running sudo -l we can see that Merlin can run root permissions on the command zip.
Using gtfobins, we can see the binary allowing us to run superuser and drop escalated privileged access to the system.
Finally, we run the command. Allowing us to be root user.
We can finally navigate to the root directory and read out the root.txt flag.
Conclusion
In conclusion, these exploits only existed because the software inherently trusted these AJP files. Software developers will have to use caution on when to trust anything involving inputs as they may become compromised.
