Tomghost THM
Last updated
Last updated
IP
Nmap initial
Nmap Full Scan
nothing interesting
Ports
22:SSH
53:DNS
8009:AJP13 Apache Jserv
8080:HTTP Apache Tomcat 9.0.30
Port 8080 HTTP
When we navigate to port 8080 we are greeted with what looks like a default Apache Tomcat home page
Since we know the version let's see if we can hunt down an exploit.
seems that Apache tomcat version is vulnerable to CVE-2020-1938 Which is a file read/inclusion vulnerability found in the AJP connector (port 8009) in Apache Tomcat. A remote unauthenticated attacker could exploit this vulnerability and read the web application conf file. within instances where file upload is allowed, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution (RCE).
we can use the following repo to exploit this vuln
Within the repo we have CVE-2020-1938.py , to exploit Apache we can run the scripts against the server
we can now read the web conf file, llooks like we have a user and password
Lets see if we can SSH in
it works!!
id
nothin intersting
sudo privileges
nothin interesting
within skyfuck's home directory, we do find some interesting files
credential.pgp
tryhackme.asc
lets download the files and enumerate them further
download into the local host
What we can do is brute force the tryhackme.asc file, to do this we need to convert the file using gpg2john
Now we can brute force the hash and retrieve the password
we now have the password
alexandru
Now back to the remote host
we need to import the key and decrypt the PGP file
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j
awesome we have Merlin's password let's change users to Merlin
Lets check our sudo privileges
looks like we can run the zip command with no password with elevated privileges. we can check out GTFOBins
we are now root!
