TomGhost [GhostCat Vulnerability] (THM)
Hello guys back again with another walk through. TryHackMe released a new room tomghost a room rated easy. To get initial foothold you have to exploit tomcat Apache JServ Protocol which essentially is a binary protocol designed to handle requests sent to a web server destined for an application server in order to improve performance. The vulnerability is also called Ghostcat and it allows unauthenticated user to read file from the web server and also an attacker can upload files(potentially malicious) to the web sever which could potentially lead to remote code execution
As always we’ll do a port scan using Nmap using the cammand
nmap -sC -sV -oA nmap/tomghost 10.10.171.273
We see three ports open. The port we are going to exploit is port 8009. I did a searchsploit on the vulnerability and found there’s an exploit available
Using that exploit i was able to read a web.xml file that contain credential for ssh using the command
python 48143.py -p 8009 -f WEB-INF/web.xml 10.10.171.237
The credentials are
skyfuck:8730281lkjlkjdqlksalks
Time to login via ssh
After logging into the box there are two files a pgp file and a .asc file both of them are used for encryption i copied then to my local box and used a program called gpg to decrypt the pgp file.
First you have import the .asc using gpg using the following command
gpg — import tryhackme.asc
It asks for a passphrase which we don’t have but luckily we can bruteforce with john the ripper which is a free and Open Source password cracker. Its primary purpose is to detect weak Unix passwords and It is one of the most popular password testing and breaking programs.
Using gpg2john which is a binary that converts your key file into a format that john the ripper can understand the using a wordlist preferably rockyou you can bruteforce the passphrase
Since we have the hash we can bruteforce using john the ripper
Since i had already cracked the hash it was saved in my potfile all i had to do was extract it using ‘ — show’ command . The passphrase was alexandru
Now I imported the .asc file into gpg using the passphrase which is the password
Now we can decrypt the pgp file using the command
gpg — decrypt credential.pgp
And voila!!!! we get credentials for merlin
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j
Now time to escalate out privileges to become the user merlin
After more enumeration i found the user merlin might run zip as a root without the root user password
Now i used GTFOBins to get root
And we are root!!!!!!!
Now its time to submit the flag
