Exploiting GhostcatĬloning the exploit mentioned in HackTricks: This issue can only occur if the AJP Connector (running on port 8009) is exposed externally, which is not a recommended configuration as there is no need for this to be publicly accessible. When consulting HackTricks on the Apache JServ Pentesting section, it mentions a known vulnerability called Ghostcat, a local file inclusion that can allow attackers to obtain the contents of local files on the servers, although it is somewhat limited:Īpache JServ is a binary version of the HTTP protocol and it is primarily used when clustering or reverse proxies is required, as it is optimized for these specific scenarios. When navigating to the site on port 8080, it takes to the Tomcat home page and it appears to be version 9.0.30: The next step will be to start enumerating HTTP. The scan has identified a few open ports: 22 (SSH), 53 (DNS), 8009 (Apache JServ) and 8080 (HTTP using Apache Tomcat). The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
#Toem ghost helper zip#
This was an easy Linux machine that involved exploiting the Ghostcat vulnerability affecting Apache Tomcat to gain initial access, cracking the hash of a GPG private key and exploiting the Zip binary with Sudo permissions enabled to escalate privileges to root.
0 kommentar(er)
