GHOSTCAT IS A VULNERABILITY in TOMCAT THAT ALLOWS LOCAL FILE INCLUSION. THIS VULNERABILITY WAS PRESENT IN TOMCAT FOR 10 years before it was discovered. LFI ALONG WITH SENSITIVE INFORMATION IN TOMCAT FILES, CREATES A DEADLY MIXTURE. THE VULNERABILITY IS PRESENT SPECIFICALLY IN AJP which runs on port 8009. THIS Vulnerability was disclosed in 2020!
To no surprise, this journey starts with a hit of nmap.
Tomcat is known for it's very friendly RCE bug in the /manager and /host-manager directories. I take a look to see if I can log into either with default credentials.
No authorization prompt pops up, like it normally does on Tomcat, because of this i was getting redirected to the 403 page without even getting the chance to login! I couldn't find reasons behind this after googling for them. So it became obvious that this was not the intended solution. I started doing enumeration on port 8009, Jserv protocol and ran into this.
This looks promising, I copy the exploit and run it.
The exploit works! I am able to read the web.xml file which has user credentials.
I login to the user with SSH and view the current working directory.
I download these two files from my local machine.
PGP is a type of private key encryption. We can decrypt files with the *.asc file, which is the key. I try to decrypt credential.pgp using a tool called gpg in Linux.
My evil plan is foiled when I am prompted for a password.
I sit for a bit and think if I am supposed to crack this, then I remember that if zip2john exists, what are the chances that pgp2john does?
How about gpg2john?
Success! Time to grab the hash and get cracking.
Now that I have the password, I can decrypt credential.pgp
Looks like horizontal privesc. Another user is compromised. I SSH as Merlin and begin looking for privesc vectors.
I run into this zip binary almost instantly. I continue to look for the binary on GTFObins and become root.
Oh Ghostcat, how did you stay hidden for so long?
(thanks flip67 for the meme) (again)

You may also like

Back to Top