Walkthrough
Gaining a Foothold
Nmap
Quick nmap scan
┌──(kali㉿kali)-[~]
└─$ nmap 10.10.140.124
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-13 15:17 EST
Nmap scan report for 10.10.140.124
Host is up (0.27s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
8009/tcp open ajp13
8080/tcp open http-proxyDetailed scan
┌──(kali㉿kali)-[~]
└─$ nmap -T4 -A -p- 10.10.140.124
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-13 15:17 EST
Nmap scan report for 10.10.140.124
Host is up (0.27s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f3:c8:9f:0b:6a:c5:fe:95:54:0b:e9:e3:ba:93:db:7c (RSA)
| 256 dd:1a:09:f5:99:63:a3:43:0d:2d:90:d8:e3:e1:1f:b9 (ECDSA)
|_ 256 48:d1:30:1b:38:6c:c6:53:ea:30:81:80:5d:0c:f1:05 (ED25519)
53/tcp open tcpwrapped
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.30
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.30
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 973.70 secondsScan for CVE-2020-1938 'Ghostcat'
┌──(kali㉿kali)-[~]
└─$ nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 10.10.140.124
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-13 15:24 EST
Nmap scan report for 10.10.140.124
Host is up (0.28s latency).
PORT STATE SERVICE VERSION
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-headers:
|_ Content-Type: text/html;charset=UTF-8
| ajp-request:
| AJP/1.3 200 200
| Content-Type: text/html;charset=UTF-8
|
| tps://tomcat.apache.org/taglibs/">Taglibs</a></li>
| <li><a href="/docs/deployer-howto.html">Deployer</a></li>
| </ul>
| </div>
| </div>
| <div class="col20">
| <div class="container">
| <h4>Other Documentation</h4>
| <ul>
| <li><a href="https://tomcat.apache.org/connectors-doc/">Tomcat Connectors</a></li>
| <li><a href="https://tomcat.apache.org/connectors-doc/">mod_jk Documentation</a></li>
| <li><a href="https://tomcat.apache.org/native-doc/">Tomcat Native</a></li>
| <li><a href="/docs/deployer-howto.html">Deployer</a></li>
| </ul>
| </div>
| </div>
| <div class="col20">
| <div class="container">
| <h4>Get Involved</h4>
| <ul>
| <li><a href="https://tomcat.apache.org/getinvolved.html">Overview</a></li>
| <li><a href="https://tomcat.apache.org/source.html">Source Repositories</a></li>
| <li><a href="https://tomcat.apache.org/lists.html">Mailing Lists</a></li>
| <li><a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a></li>
| </ul>
| </div>
| </div>
| <div class="col20">
| <div class="container">
| <h4>Miscellaneous</h4>
| <ul>
| <li><a href="https://tomcat.apache.org/contact.html">Contact</a></li>
| <li><a href="https://tomcat.apache.org/legal.html">Legal</a></li>
| <li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
| <li><a href="https://www.apache.org/foundation/thanks.html">Thanks</a></li>
| </ul>
| </div>
| </div>
| <div class="col20">
| <div class="container">
| <h4>Apache Software Foundation</h4>
| <ul>
| <li><a href="https://tomcat.apache.org/whoweare.html">Who We Are</a></li>
| <li><a href="https://tomcat.apache.org/heritage.html">Heritage</a></li>
| <li><a href="https://www.apache.org">Apache Home</a></li>
| <li><a href="https://tomcat.apache.org/resources.html">Resources</a></li>
| </ul>
| </div>
| </div>
| <br class="separator" />
| </div>
| <p class="copyright">Copyright ©1999-2024 Apache Software Foundation. All Rights Reserved</p>
| </div>
| </body>
|
|_</html>
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.69 secondsDefault Web Page
10.10.140.124:8080
Information Disclosure
Ghostcat Metasploit
https://www.exploit-db.com/exploits/49039
skyf***:8730281lkjlkjdqlksalks
SSH successful using skyf*** credential
Escalating Privileges
John
- credential.pgp: this PGP file is an encrypted file that might contain credentials for another user and can only be decrypted by a paraphrase to check its content.
- tryhackme.asc: this is a key file that we have to crack in order to get the paraphrase that will be used to decrypt the credential.pgp file.
John the Ripper is a free password cracking software tool. Originally developed for the Unix operating system, it can run on fifteen different platforms.
To do so first we generate the hash of this key using: gpg2john tryhackme.asc > hash
Then we start cracking the password using: john —wordlist=rockyou.txt hash
john: specify the software we will be using which is John the Ripper
— wordlist: specify the wordlist that will be used for brute-forcing
Note that: the path of the wordlist will be different depending on the location of the wordlist.
Now since I have the cracked password I can decrypt the credential.pgp by using :
gpg --import tryhackme.asc
Since its a .pgp file we will be using gpg to decrypt.
— import : is used to import the key file
gpg -d credential.pgp
— d: is used to decrypt the .pgp file.
And then you will be prompted to enter the cracked password from the tryhackme.asc file.
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j
sudo -l
3 ports open
8080 - no feasible way to log in
8009 - there were other enumerations to be done
read the code, research
Once on the machine, start with the basics