Blog

You are currently viewing TryHackMe: tomghost

TryHackMe: tomghost

Introduction

Apache Tomcat is an open-source web server that can deploy and run Java-based web applications. In 2020 a vulnerability dubbed GhostCat was discovered, allowing attackers to read or include files from the host system. In this room, TryHackMe tomghost, your goal is to use the GhostCat exploit to read files, gain user access, decrypt PGP files, and escalate to root privileges.

Information Gathering

tomghost tasks
Tasks

As always, we use our trusty Nmap tool to scan the ports to see what services are running on this machine.

tomghost nmap results
Nmap results

It looks like port 8080 is running the vulnerable Apache Tomcat version 9.0.30.

Tomcat dashboard
tomcat dashboard

Exploitation

Tomcat version 9.0.30 has a vulnerability with Apache JServ Protocol (AJP). CVE-2020-1938 allows attackers the ability to read and include files on the server because “Tomcat treats AJP connections as having higher trust”.

tomcat exploit

Somebody already wrote an exploit for this vulnerability. After downloading this, we can run the Python script and point it to the web server.

Running ghostcat exploit
tomcat exploit

We can see here that there is something hosted on /asdf. It’s an XML file with metadata included. There is also something in the description that looks like login credentials.

Post Exploitation

Returning to our Nmap scan, we can see that SSH is open on this machine. Let’s see if we can log into the skyfuck account.

tomghost user.txt
user.txt

Changing the directory to Merlin’s home directory we can find the user.txt flag.

Returning to our home directory, we can see a couple of files called credential.pgp and tryhackme.asc. Using a tool like gpg2john we can convert tryhackme.asc into a format that can be interpreted by johntheripper.

Decrypting PGP
cracked .asc and pgp

Johntheripper, in combination with the rockyou.txt dictionary file, we can dictionary brute-force the password for the .asc file.

Decrypting PGP

Using gpg import the tryhackme.asc file and enter the password alexandru. It looks like it is an OpenPGP secret key for stuxnet@tryhackme.com

PGP contents

We can then decrypt the credential.pgp file and see Merlin’s login information.

Privilege escalation tomghost
privilege escalation

After logging into Merlin’s account we still do not have access to the root system. However, after running sudo -l we can see that Merlin can run root permissions on the command zip.

Using gtfobins, we can see the binary allowing us to run superuser and drop escalated privileged access to the system.

Gtfobins results
gtfobins results

Finally, we run the command. Allowing us to be root user.

tomghost root.txt
root.txt

We can finally navigate to the root directory and read out the root.txt flag.

Conclusion

In conclusion, these exploits only existed because the software inherently trusted these AJP files. Software developers will have to use caution on when to trust anything involving inputs as they may become compromised.

tomghost Tasks solutions
Task Solutions
Tags:

Leave a Reply