Ghostcat Vulnerability CVE-2020-1938 explained and exploited with Try-Hack-Me Tomghost machine

Today, I am back with an interesting blog on vulnerability named Ghostcat. The Apache Ghostcat vulnerability is an LFI (Local File Inclusion) vulnerability which is discovered by a security researcher of Chaitin Tech and came out in February 2020, while the world was gearing up for a lockdown fight up against the coronavirus. It allows an attacker to read files such as configuration files, text files, or any other tomcat directory files.

What Ghostcat vulnerability can do?

Due to a flaw in the Tomcat AJP protocol, by exploiting the Ghostacat vulnerability an attacker can read or include any files in the webapp directories of Tomcat. For example, An attacker can read the webapp configuration files or source code. In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through Ghostcat vulnerability.

You can get more information about it on

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938

https://nvd.nist.gov/vuln/detail/CVE-2020-1938

What is AJP (Apache Jserv Protocol)?

It is a binary protocol that can proxy inbound requests from a web server through an application server that sits behind the webserver. It is essentially an optimized binary version of the HTTP protocol in binary form. This makes communication with the AJP port rather difficult using conventional tools.

The simplest solution is to configure Apache as a local proxy, which performs transparent conversion of HTTP traffic to AJP format. Once configured, an attacker can use common tools and different exploits to exploit the Tomcat server over AJP.

It can be used to reduce the processing costs related to HTTP requests and is mostly used in scenarios that require clustering or reverse proxies.

By default, it is enabled on port 8009.

By default, Tomcat is configured with two Connectors, which are HTTP Connector and AJP Connector:

HTTP Connector: used to process HTTP protocol requests (HTTP/1.1), and the default listening address is 0.0.0.0:8080

AJP Connector: used to process AJP protocol requests (AJP/1.3), and the default listening address is 0.0.0.0:8009

How Ghostcat can become RCE (Remote Code Execution)?

As we have discussed till now that Ghostcat is a file inclusion vulnerability and It’s not a Remote Code Execution (RCE) by default. But some circumstances made it RCE.

João Matos, a well-known security researcher from Brazil, identified the prerequisites needed for Ghostcat to become an RCE.

Apache Tomcat has officially released versions 9.0.31, 8.5.51, and 7.0.100, and a newer version to fix this vulnerability.

Why does this vulnerability exist?

By default, Tomcat treats AJP connections as having a higher level of trust, when compared to HTTP connections. When AJP is implemented correctly, the protocol requires a secret, which is required by anyone who queries the protocol. When we are using the default Tomcat configuration, this secret is not enabled and because of this, there is no security check done for requests coming into port 8009. This means that an unauthenticated attacker can access the port to read or potentially write to the server.

TryHackMe has a machine named Tomghost, which has this vulnerability. So now we will exploit that machine and learn more about this.

 Tomghost: Try-Hack-Me machine

Our goal is to identify recent vulnerabilities and exploit the system or read files that we should not have access to.

To start this, I have Initiated the VPN connection and deploy the machine.

As always, we will start with Nmap scan:

nmap -sC -sV -vv -T4 <IP>

We found 4 open ports: Port 22, Port 53, Port 8009, Port 8080

Task 1: Compromising this machine and obtaining user.txt

We can see that on port 8080 we have a Tomcat webserver and port 8009 is also open.

Let’s access its website as an Apache is running.

Here, we can see the default page for Apache Tomcat and it is running version 9.0.30. (We got the version from our Nmap scan results as well)

So, now we can look for vulnerabilities on google.  After some googling, I found that Apache Tomcat versions 6.x, 7.x, 8.x, and 9.x are found to be vulnerable to this Ghostcat vulnerability which we discussed earlier.

So, we can search for exploits in google. I found following on exploit DB: https://www.exploit-db.com/exploits/48143

I also found another exploit on the GitHub of “00theway” which looks interesting.  So, I have decided to use this here. You can find that in here:

https://github.com/00theway/Ghostcat-CNVD-2020-10487

We need to get this in our system using following command:

 git clone https://github.com/00theway/Ghostcat-CNVD-2020-10487

We can see the ajpShooter.py file in our directory.

Following is code for ajpShooter, for readers interested in Python programming:

Now let’s check how to use this.

Now we want to use this to exploit and for that on 00theway’s GitHub page, we found following example:

From this I made our command as following:

python3 ajpShooter.py http://<IP>:<PORT> <AJP_PORT> /WEB-INF/web.xml read

python3 ajpShooter.py http://10.10.170.107:8080 8009 /WEB-INF/web.xml read

With the help of ajpShooter, We obtained a username and password.

skyfuck:8730281lkjlkjdqlksalks

 From our Nmap scan results, we know that SSH is open. So let’s try to login through SSH and give this password.

Yes…!!! We can log in successfully using that password… Now let’s find out what we have in here and we will also look for the flag.

As you can see, We found 2 users here.

After Switching to the merlin directory, I found the user.txt flag.

THM{GhostCat_1s_so_cr4sy}

So, we have successfully Compromised this machine and obtain user.txt and found our 1st flag..!!!

 Task 2:  Privilege Escalation and obtaining root:

 Switching to user ‘skyfuck’ again we found 2 files: credential.pgp and tryhackme.asc

Here we have .pgp and .asc file. Opening .asc file gave me PGP private key shown below.

From this and after researching on google, I learned that asc file is used to decrypt pgp.

Before going further let’s quickly look at GPG.

GnuPG (more commonly known as GPG) is an implementation of a standard known as PGP (Pretty Good Privacy). It uses a system of “public” and “private” keys for the encryption and signing of messages or data.

It is a complete implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories.

For encryption and decryption, I found the following useful:

So, we found a credential file earlier and it was encrypted using gpg and key to decrypt that file is tryhackme.asc. Let’s try to decrypt that.

But We need a secret to decrypt this.

As you can see, we don’t have sudo privilege here so to decrypt this file we need to copy this to our system.

Let’s get this file on our system utilizing the Secure Copy (scp) command.

scp copy files securely between hosts on a network. It uses ssh for data transfer and uses the same authentication and provides the same security as ssh.

So, we can copy these 2 files across ssh connection. That connection will be securely encrypted, it is a very secure way to copy files between computers.

scp uses by default the port 22 and connects via an encrypted connection or secure shell connection.

Syntax: scp [-12346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]

    [-l limit] [-o ssh_option] [-P port] [-S program]

    [[user@]host1:]file1 … [[user@]host2:]file2

So, I will use following command for secure copy and Password: 8730281lkjlkjdqlksalks

scp -p skyfuck@10.10.140.34:/home/skyfuck/tryhackme.asc tryhackme.asc

Here, -p is for Preserving modification times, access times, and modes from the original file

We have successfully copied 1 file. Let’s do it for the other as well.

scp -p skyfuck@10.10.140.34:/home/skyfuck/credential.pgp credential.pgp

Now, In our TryHackMe directory we have two extra files, ‘tryhackme.asc’ and ‘credential.pgp’.
We can use john the ripper to crack the hast discover the password in ‘tryhackme.asc’.

John the Ripper tool will help us with revealing the password hash hidden in the tryhackme.asc file. 

For this, we will search for gpg2john. You can use locate command.

Here we can pass it the file we got from the Tomghost machine and save the output.
/usr/sbin/gpg2john tryhackme.asc > tryhackmeHash.txt

This is what my hash file contains:

Now, To crack this, we will use john with rockyou.txt file using following command:

john –wordlist=/usr/share/wordlists/rockyou.txt tryhackmeHash

So, we have the passphrase: alexandru

Now can try to decrypt the credential.pgp with this passphrase to get the content using the command discussed earlier in Table.

gpg –import tryhackme.asc

When it prompts for password, we can supply password: alexandru as shown below:

We can see that it also exposes some sensitive information like it is encrypted with a 3072-bit ELG key, ID 8F3DA3DCEC6707170.

As you can see, the process is completed, and our key is imported.

Now let’s decrypt this using following command:

gpg –decrypt credential.pgp

for decryption also they will authenticate you.

Here, I entered the wrong password by mistake and learned that it provides only 3 tries for an attacker to unlock the OpenPGP secret key.

Hurray..!!! After giving the correct password, Our decryption is successfully completed.

As we can see, another user merlin, and his password is also revealed. Now we can try that with ssh:

Now we can switch to user merlin using the obtained password and check the command that can be performed with sudo privilege:

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus neca

Here, we can run the zip command as root. So, I was looking for ways to use zip to get root access, on google and found  GTFOBins.

It is a privilege escalation exploit we can utilize to elevate our privileges and get a root shell from zip.

Here is the link:

https://gtfobins.github.io/gtfobins/zip/#sudo

Using the site GTFOBins, the zip application allows for a user to create a new shell as the root user.  Now we will see how to use it:

.

All we need to do now is simply copy and paste this command into the terminal and we should get a new command line as root.

Let’s, give it a try.

And finally, it’s Done. I simply change the directory to the /root and got the root.txt flag.

THM{ZIP_1S_FAKE}

With this second flag, we have completed this machine.

It was a great machine as it had a recent real-world-related vulnerability. We learned a couple of new things in this blog.

Conclusion:

  1. Started the machine and got into the same network using OpenVPN Service.
  2. We started initial recon with Nmap and found 4 open Ports. Which are 22, 53, 8009, and Port 8080. We also found what version and services they are running. That gave us information about Apache Tomcat version 9.30.30 is running on 8080 and Apache Jserv is on 8009.
  1. Looked for vulnerabilities associated with that and found well-known Ghostcat Vulnerability (CVE-2020-1938). When working with Apache Tomcat, always look for Ghostcat vulnerability.
  1. Found few ways to exploit it from exploiteDB and GitHub. Then started the exploitation phase with the Github repository of “00theway” with ajpShooter.py and got 1st user and his password.
  1. With those credentials tried to get access to the user using SSH but learned that he is not the root user. Started searching for some useful directory/information to escalate the privileges. Found out few files (.pgp and .asc), 1st flag, and another username.
  1. Stared privilege escalation to get access to the root user. Got access to PGP private key and tried to decrypt the ASCII file using that. For that securely copied both files to my system (because it was not a rooted user profile, so it required a secret phrase to decrypt the file) and crack the ASCII file using John the Ripper.
  1. Used gpg2john to get the Hash of ASCII file, and used rockyou world list with john to crack that hash. This gave the secret phrase.
  1. Using that we unlocked PGP key and got other user’s credentials. Login through SSH and found out that it was a root user.
  1. Learned that it can only run zip command as a root. Used GTFOBins to maintain elevated privilege and access the file systems and found the final flag.

Thanks for reading…!!!

Until Next time, Happy Hacking…!!!