TryHackMe! Ghostcat CVE-2020-1938

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone at the front of this video i wanted to include a short and quick little announcement because i'm very very excited about this nom con nom con is happening june 13th 2020 this saturday that'll be live on twitch tv slash nomsec ben from hackerone is going to be putting this event on along with myself stoke and the cyber mentor there'll be seven hours of talks and sunday as dedicated to three different workshops so you can find out the whole talk schedule and everything online at nomcon.com and along with that i'm going to be hosting the capture the flag competition the capsule flag competition starts the day before just june 12th that friday and it'll go until about the time for my talk at the very end of the actual conference on saturday so registration is finally open and live if you want to go check that out you can go to ctf.nomcon.com that is https because i know a lot of people got angry at me when i posted verse that con without it but please please please go register it's going to be a 31 hour competition if you enjoyed versacon this game will be even bigger and even better so please go sign up it's going to be a blast and i'm really really excited about it and i hope that you are too so please go check it out ctf.nomcon.com and enjoy the video i'll see you guys there next week only seven days till the game hello everyone my name is john hammond welcome back to another try hack me youtube video in this case i want to be showcasing the tom ghost room which demonstrates the ghost cat vulnerability very very recent in terms of some tomcat web servers so let's hop on over to my screen i'll show you the room here i've got it open and i am joined the room i've deployed the machine here the only prompt that we have for all of these is compromise this machine and obtain user.txt and then escalate privileges and obtain root.text so looks like we're just kind of on our own not usually the guided process that uh tryhackme typically offers for us so i have this machine here i'll go ahead and create a directory for this so let's make directory tom goes let's hop in there and i will create a readme directory or a file anyway so i could keep track of some of our notes here and with that i will keep track of the ip address as a variable so i can just spit that into a lot of different shells and don't have to retype it all the time i'll create all these tasks here um let's actually create a section for nmap scan which we can go ahead and fire off ideally hopefully hopefully the machine is up and all the ports are accessible uh if not i'll just pause the video and we'll keep waiting but i have been able to ping it oh and i need to go ahead and create that nmap directory there we go but i mean as you can see i've here i'll ping the ip address he seems to be up so hopefully that nmap scan will return some good stuff for us but anyway let's go try to see if it has a web server uh i entered my export command into my url bar so that wasn't very very helpful okay he still needs a little bit of time to get his his web server up so i'll pause the video and we'll get back to it once that's ready okay so it's been a few minutes and my nmap scan actually returned looks like we have port 22 open 53 and 8009 as well as 80 80. so the 8080 must be tomcat looks like there actually wasn't anything on 80 itself so that page would never have loaded for me regardless uh apache tomcat one of the later versions uh this one should still be susceptible to ghost cat this recent vulnerability let me go ahead and do some googling on that let's check out ghost cat see what it really is if you want to do a little bit more in-depth reading here you certainly can there is a lot of articles about it on this new recent vulnerability 2020. so it came out in march ajp protocol apache jserb protocol binary protocol used to in the apache tomcat web servers messaging communication with the server and servlets i won't go deep in the weeds on really everything that this contains i'd rather just go ahead and exploit it so the notion here though is that this can quickly become a venue and outlet for remote code execution so we can turn in and get control of the box i actually have an interesting tweet here uh if you upload files and those are saved in accessible spot those could be turned into remote code execution um i believe we don't do that in this specifically in in the ghost cat room let's see what we do though so i'm gonna just simply google the ghost cat github exploits or ghost hat et cetera et cetera ghost cat exploit github whatever you want to track down i see a cool one from full hub i see some verification one i've had a lot of success with the zero zero the way but again it's certainly useful and willing to go check out some of these it looks like this one also does a similar technique as uh what the others do the verification when i haven't checked out though that looks like it might just try to determine if it is vulnerable but not actually exploit it this one ajp shooter from zero zero the way looks to work very very well and kind of for my testing prior so let's go ahead and download this i'll get clone it i will git clone this checking out the usage here it showcases our arguments that we can supply url the port whether we want to read or evaluate something and what we might be looking for so the web inf or web.xml file in tomgat and in agp for what we're working with might very well have some useful information on users and other other like system configuration files so let's go ahead and try that uh that's in the ghost cat directory now if i were to run python ajp shooter it looks like it needs all of the arguments that we would supply so url for one thing agp port and you can see in the screenshots that showcase some good examples here so i'll fire this up 8080 is for the actual tomcat itself and you can see that again in our example here the ajp server was on 8009 and what we want to read webinf web.xml and read so 8009 web inf web.xml read that triggers it and fires it away looks like it says welcome to ghost cat and potentially some credentials here with this skyfuck user and that so that read that web.xml file for us and now we've got that useful information i'm just going to copy this and slap it into our notes exploiting ghost cat so we have this user skyfuck okay so ssh is open so we could potentially ssh with that to the ip address go ahead and do that we'll grab his password in here a okay all right so what do we have in here looks like we have a credential.pgp and a tryhackme.asc file so these are some gnu privacy guard or pretty good privacy uh files that are encrypted so we could go ahead and work with these i'm gonna go ahead and download them so let's scp to skyfuck at that ip address and let's grab everything in their home directory and move it into this here it's going to ask for that password which we should still have in our clipboard so i can just paste that in and now we're downloading these so this ase file let's take a look at these let me file these open the asc file has some particular information here if i check this out it is a private key block so we might need to crack this we can thankfully do this with john the ripper so let's start that process the gpg file that's the straight up encrypted one so we're going to need to use that with kind of the key that we could potentially get out of the asc file let's go let's use some opt john the ripper run gpg to john on our try hackme and then we can go ahead and give that to a file hashes for john and now let's run that john the ripper utility on that hash is for john file and we'll use our word list uh rocku.txt which i have in my opt directory because that's where i put a lot of my tools and stuff looks like it can crunk crank crush through this other words um i don't know if i need to supply a format or it'll figure it out so i'm gonna stand by and see if it actually cracks anything okay as that was rolling through i realized i probably had that argument set up in the wrong way i should use the word list before i specify the actual hashes that i want to use because that way it won't get confused on what hashes it might be looking at so word list rock u.text now when that's cranking through it awesome it finds the password so that should be gpg import that tryhackmease file and using the password that we just had cracked we should be able to go ahead and actually enter that alexandru was what we used that's been imported successfully now i should be able to gpg tag tag decrypt our credential.pgp there we go okay so merlin now is an account that we can access and we have a successful password for that so let's go ahead and i guess take note of that and try an ssh with that guy so let's break out of that sky command and let's move into merlin supply that password and now we have a new user that we can log in as we have user.txt there we go there's our flag i accidentally pasted the password in the prompt whatever let's go ahead and paste that guy in and now let's start to try and enumerate see how we can privisc uh checking just simple pseudo entries looks like what commands can we run as merlin with sudo privileges we can run no password user bin zip which is pretty great because that's totally gotta be something in gtf opens so let's go check out what can we do with zip should be able to go ahead and get a shell so zip go ahead and run something with getting a shell and it needs a temporary directory so whatever let's just try to spin that up there we go entering those commands we simply have our flag as root you can see our prompt here we have our hashtag so we are in fact root if i check out my directory i moved us into the root directory id who am i we are in fact root so let's check out that root.txt file super easy privesque to go ahead and steal that root.txt file okay that was that room um a little bit of a stumbling block at least in my case because gpg i guess i don't know why i was being stupid and didn't even bother with the keys on that but that's how you can do that if you have that asc file you can import that get the correct password if you can determine that and go ahead and decrypt anything that was used with that so ghost cat right that's the vulnerability that was the kind of exploit and i think that that reference there is is actually really really cool looking through these ajp shooters seem to be pretty effective in my case i guess i'd have to take a look at some of these other tools and utilities to do some damage with that recent tomcat vulnerability anyway thank you guys so much for watching i hope you enjoyed this video if you did please do press that like button uh if you didn't i don't know what to tell you sorry maybe next time what do you want me to say okay thanks for watching love to see you guys in discord server there's a link in the description please do comment please do subscribe please do check it out on patreon paypal i appreciate any of your support i'm so so grateful for you guys it's just surreal so thanks for everything take care i'm gonna end the video now this is weird goodbye [Music] without [Music] you

Info

Channel: John Hammond

Views: 45,026

Rating: undefined out of 5

Keywords:

Id: -Cy4u6fA3Os

Channel Id: undefined

Length: 12min 54sec (774 seconds)

Published: Fri Jun 05 2020