AJP
Nmap discovered an AJP endpoint on the target port 8009
The running service is Apache Jserv (Protocol v1.3)
The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. AJP is a highly trusted protocol and should never be exposed to untrusted clients, which could use it to gain access to sensitive information or execute code on the application server.
┌──(kali㉿kali)-[~/archive/thm/tomghost]
└─$ nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-13 16:36 CEST
Nmap scan report for 10.10.198.73
Host is up (0.028s latency).
PORT STATE SERVICE VERSION
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
| ajp-headers:
|_ Content-Type: text/html;charset=UTF-8
| ajp-request:
| AJP/1.3 200 200
| Content-Type: text/html;charset=UTF-8
|
| tps://tomcat.apache.org/taglibs/">Taglibs</a></li>
| <li><a href="/docs/deployer-howto.html">Deployer</a></li>
| </ul>
| </div>
| </div>
| <div class="col20">
| <div class="container">
| <h4>Other Documentation</h4>
| <ul>
| <li><a href="https://tomcat.apache.org/connectors-doc/">Tomcat Connectors</a></li>
| <li><a href="https://tomcat.apache.org/connectors-doc/">mod_jk Documentation</a></li>
| <li><a href="https://tomcat.apache.org/native-doc/">Tomcat Native</a></li>
| <li><a href="/docs/deployer-howto.html">Deployer</a></li>
| </ul>
| </div>
| </div>
| <div class="col20">
| <div class="container">
| <h4>Get Involved</h4>
| <ul>
| <li><a href="https://tomcat.apache.org/getinvolved.html">Overview</a></li>
| <li><a href="https://tomcat.apache.org/source.html">Source Repositories</a></li>
| <li><a href="https://tomcat.apache.org/lists.html">Mailing Lists</a></li>
| <li><a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a></li>
| </ul>
| </div>
| </div>
| <div class="col20">
| <div class="container">
| <h4>Miscellaneous</h4>
| <ul>
| <li><a href="https://tomcat.apache.org/contact.html">Contact</a></li>
| <li><a href="https://tomcat.apache.org/legal.html">Legal</a></li>
| <li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
| <li><a href="https://www.apache.org/foundation/thanks.html">Thanks</a></li>
| </ul>
| </div>
| </div>
| <div class="col20">
| <div class="container">
| <h4>Apache Software Foundation</h4>
| <ul>
| <li><a href="https://tomcat.apache.org/whoweare.html">Who We Are</a></li>
| <li><a href="https://tomcat.apache.org/heritage.html">Heritage</a></li>
| <li><a href="https://www.apache.org">Apache Home</a></li>
| <li><a href="https://tomcat.apache.org/resources.html">Resources</a></li>
| </ul>
| </div>
| </div>
| <br class="separator" />
| </div>
| <p class="copyright">Copyright ©1999-2024 Apache Software Foundation. All Rights Reserved</p>
| </div>
| </body>
|
|_</html>
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.61 secondsAdditional Nmap scan revealed that the target instance supports the following methods; GET, HEAD, POST, OPTIONS
As the name of the target suggests, it is highly likely that the target instance is vulnerable to [[Tomghost_CVE-2020-1938#[CVE-2020-1938](https //nvd.nist.gov/vuln/detail/cve-2020-1938)|CVE-2020-1938]], or Ghostcat
Vulnerabilities
