Tomghost — TryHackMe Walkthrough

Tomcat

Hello! Today I’ll be solving ‘Tomghost’ room on TryHackMe. This room is vulnerable to CVE-2020–1938 which allows file read/inclusion vulnerability in the AJP connector.

Room Link: https://tryhackme.com/room/tomghost

TryHackMe | tomghost

Lets get started

First, lets add the target IP to /etc/hosts

/etc/hosts

Step 0: Reconnaissance

Lets start off by scanning for open ports on the target machine using Nmap(Network Mapper).

sudo nmap -sC -sV -oN logs/initial_nmap ghost.thm

1. -sC — to run the default set of script scans for a target host.
2. -sV — to enable version detection for target host.
3. -oN — to save the output in normal format.

nmap scan

Brief:

1. 22/tcp — SSH(Secure Shell) — used for secure remote access to systems, we must find a username and password of ssh to get access of the target machine.
2. 8009/tcp — Apache Jserv(AJP) — AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as Apache to talk to Tomcat.
3. 8080/tcp — HTTP server — running an Apache Tomcat server

Step 1: Exploring the Web server

Lets fire up the browser and check the website.

Default Tomcat page

Its the default Tomcat page, the version is 9.0.30. Lets check for exploits for this version if any.

CVE-2020–1938

Found one! Its CVE-2020–1938.

CVE-2020–1938 is a file read/inclusion vulnerability in the AJP connector in Apache Tomcat. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server.

GitHub - Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat

source code of exploit

By default, the exploit reads WEB-INF/web.xml file. The WEB-INF/web.xml can leak important information like credentials for the Tomcat interface, depending on the server setup.

Lets execute it.

python2 CVE-2020–1938.py ghost.thm -p 8009

The exploit somehow only worked with python2

Seems like we got some credentials. Clearly a broken access control.

Step 2: Compromising the system

Lets try the credentials found in web.xml file to log into SSH server.

SSH

We’re in. Lets check for some flags

We got a pgp file with its private key(tryhackme.asc). Lets decrypt it.

It requires a passphrase. Lets transfer the files to our attack machine using scp and crack it.

scp skyfuck@ghost.thm:/home/skyfuck/* artifacts

We’ll use gpg2john to crack the private key in order to get the passphrase and then use it to decrypt the pgp file.

gpg2john tryhackme.asc > hash

Lets crack it with rockyou.txt as our wordlist.

We have the password for the pgp file.

It contains credentials for merlin. Lets check if there is a user named merlin in the home directory.

Lets switch to merlin user.

su merlin

Easy catch.

Step 3: Privilege Escalation

Lets check what commands can merlin execute as root using sudo -l

The zip command can be executed without password. Lets abuse this configuration to escalate our privileges.

Using this GTFObin we can get a root shell.

And with that, tomghost has been successfully pwned!

Conclusion

Tomghost was a fairly easy box vulnerable to CVE-2020–1938. Additional knowledge of GPG encryption/decryption is required to crack this box.

References

1. https://github.com/Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat/tree/main
2. https://book.hacktricks.xyz/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp
3. https://www.tecmint.com/gpg-encrypt-decrypt-files/
4. https://gtfobins.github.io/gtfobins/zip/#sudo

Happy Hacking!