GHOSTCAT IS A VULNERABILITY in TOMCAT THAT ALLOWS LOCAL FILE INCLUSION. THIS VULNERABILITY WAS PRESENT IN TOMCAT FOR 10 years before it was discovered. LFI ALONG WITH SENSITIVE INFORMATION IN TOMCAT FILES, CREATES A DEADLY MIXTURE. THE VULNERABILITY IS PRESENT SPECIFICALLY IN AJP which runs on port 8009. THIS Vulnerability was disclosed in 2020!
To no surprise, this journey starts with a hit of nmap.
Tomcat is known for it's very friendly RCE bug in the /manager and /host-manager directories. I take a look to see if I can log into either with default credentials.
No authorization prompt pops up, like it normally does on Tomcat, because of this i was getting redirected to the 403 page without even getting the chance to login! I couldn't find reasons behind this after googling for them. So it became obvious that this was not the intended solution. I started doing enumeration on port 8009, Jserv protocol and ran into this.
This looks promising, I copy the exploit and run it.
The exploit works! I am able to read the web.xml file which has user credentials.
I login to the user with SSH and view the current working directory.
I download these two files from my local machine.
PGP is a type of private key encryption. We can decrypt files with the *.asc file, which is the key. I try to decrypt credential.pgp using a tool called gpg in Linux.
My evil plan is foiled when I am prompted for a password.
I sit for a bit and think if I am supposed to crack this, then I remember that if zip2john exists, what are the chances that pgp2john does?
How about gpg2john?
Success! Time to grab the hash and get cracking.
Now that I have the password, I can decrypt credential.pgp
Looks like horizontal privesc. Another user is compromised. I SSH as Merlin and begin looking for privesc vectors.
I run into this zip binary almost instantly. I continue to look for the binary on GTFObins and become root.
Oh Ghostcat, how did you stay hidden for so long?
(thanks flip67 for the meme) (again)