Skip to content

0xdc10/tomghost-thm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commits

CNVD-2020-10487-Tomcat-ajp-POC

CNVD-2020-10487-Tomcat-ajp-POC

 
 

CVE-2020-1938.py

CVE-2020-1938.py

 
 

README.md

README.md

 
 

ascforjohn.hash

ascforjohn.hash

 
 

credential.pgp

credential.pgp

 
 

dirb.log

dirb.log

 
 

edb-49039.rb

edb-49039.rb

 
 

exploit.log

exploit.log

 
 

john.log

john.log

 
 

nikto.log

nikto.log

 
 

tryhackme.asc

tryhackme.asc

 
 

Repository files navigation

TomGhost

IP: 10.10.102.122

PORTS:

  • 22
  • 53
  • 8080 - tomcat - v9.0.30
  • 8009 - apache-jserv v1.3

AJP

  • ghostcat
  • CVE-2020-1938

https://github.com/Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat/blob/main/CVE-2020-1938.py

  • running CVE-2020-1938.py - errors
  • tried another ghostcat-POC, fixed it for python3
  • got creds: skyfuck:8730281lkjlkjdqlksalks
  • got files
    • credential.pgp
    • tryhackme.asc
  • got user.txt in /home/merlin
  • skyfuck can't sun sudo

PGP

  • cracked asc with JtR
  • pass: alexandru
  • decrypyted credential.gpg
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j

MERLIN

User merlin may run the following commands on ubuntu:
    (root : root) NOPASSWD: /usr/bin/zip

Privilage Escalation - GTFOBIN

TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF
  • got /root/root.txt

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages