Identify recent vulnerabilities to try exploit the system or read files that you should not have access to.
Looking at the room there are a number of tags which give us a few clues as to this box. We can guess the box is running Apache Tomcat which is a java Servlet, there is a reference to CVE-2020–1938 know as Ghostcat, there are also references to zip and pgp.
We will start with a scan of the ports using Nmap to see what is open.
So we have ssh running on port 22, an Apache Java server on 8009 and Apache Tomcat 9.0.30 running on 8080.
Tomcat Port 8080:
Navigating to the Tomcat server we arrive at the standard default landing page:
There is little I can find to undertake any further enumeration, so I will focus on CVE-2020–1938. Researching this further, we learn that by exploiting the Ghostcat vulnerability, an attacker will be able to read the contents of configuration files and source code files of all webapps deployed on Tomcat.
To exploit the Ghostcat vulnerability we can download the POC from the following GitHub repository:
We can clone this into our directory:
sudo git clone https://github.com/00theway/Ghostcat-CNVD-2020-10487.gitLet’s look at the help for the Ajp Shooter to exploit this vulnerability:
The object here is to see whether we can read the contents of a configuration file, which will be /WEB-INF/web.xml.
python ajpShooter.py http://10.10.188.67 8009 /WEB-INF/web.xml read
When we run the script we can read the contents of the /web.xml file. In the file we can see some credentials which look like the user:password for ssh.
SSH Port 22: User skyfuck:
Yes we are correct, the credentials allow us to ssh into the server as user skyfuck:
Looking at skyfuck’s home directory we can see a credential.pgp and we know from the box tags that this appears to be part of the challenge. We can also see tryhackme.asc which is the PGP private key block. I will download these file to my host so I can enumerate further.
We can try and brute force the tryhackme.asc file but first we have to convert this file using gpg2john.
gpg2john tryhackme.asc > hashI will use the rockyou.txt wordlist for the brute force attack.
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Back to the remote host. We have the passphrase, all we need to do now is import the key and decrypt the pgp file.
pgp --import tryhackme.ascgpg --decrypt credentials.pgp
We now have the credentials for merlin and that is what I call a password:-).
Using ‘su merlin’ we can change our account to merlin’s
OK, now time to privesc, let’s see what privileges we have using ‘sudo -l -l’
OK, so we can run the zip binary as root, let check out GTFOBins and look for an exploit:
Game on, we have root, let’s navigate to the /root directory:
All we need to do now is cat the root.txt file and we are complete.
A big thank you to Stuxnet for creating this box.
