tomghost — TryHackMe
This machine is based on ghostcat vulnerability affecting Apache tomcat, let’s boot-up the machine and conduct an nmap scan.
sudo nmap -A <IP>
From the results we can see there are 4 ports open and http runs on 8080 let’s enumerate it.
The website is about the apache tomcat version 9.0.30 and nothing useful can be seen here to get the flag.On further enumerating, this particular version is vulnerable and an attacker can read the web-app configuration files or source code, we can find the exploit here — https://github.com/vulhub/vulhub/blob/master/tomcat/CVE-2020-1938/README.md
As we can see the configuration file is visible to us and an user credentials can be found!, let’s login through ssh.
By this we got the user.txt flag present in merlin user directory. Now we need to escalate our privilege to obtain root flag.
In the other user directory we can find two files let’s get these to our local machine, start a python server and get them.python -m http.server
The .asc file is the public key file and we need crack it to get creds from credential.pgp file. Crack the hashes using John the ripper tool and get the passphrase.
By this we got the credentials of user merlin. Switch the user and login.
Now to escalate we need to find what commands can user merlin can execute. As you can see zip command can be run as root by merlin. It’s exploit can be found in gtfobins — https://gtfobins.github.io/gtfobins/zip/#sudo
As you can see the -T checks the integrity of the file and -TT is used to execute the command on archive, this does provide arbitrary command execution.
Execute them and we are root!!! and we got the root.txt.
Thank You!!
Happy H@cking🦇
