TomGhost — THM Writeup
Machine Overview
Machine Name: TomGhost
Target IP: 10.10.xxx.xxx
Operating System: Linux (Ubuntu-based)
This assessment focused on exploiting a vulnerable Apache Tomcat setup, credential discovery via exposed internal files, and privilege escalation using misconfigured sudo permissions.
1️⃣ Initial Reconnaissance
The engagement began with a TCP scan to identify exposed services and understand the attack surface.
🔍 Nmap Scan
nmap -sC -sV 10.10.xxx.xxx📌 Key Findings
The following services were identified:
- Port 22 (SSH) Service: OpenSSH 7.2p2 OS: Ubuntu Linux
- Port 53 (TCP) Service: tcpwrapped
- Port 8009 (AJP) Service: Apache Jserv Protocol v1.3
- Port 8080 (HTTP) Service: Apache Tomcat 9.0.30
The presence of AJP (8009) alongside Tomcat (8080) immediately stood out, as this combination is frequently associated with historical misconfigurations.
2️⃣ Service Analysis
An initial review of the SSH service suggested an older version, and username enumeration behavior was observed during testing. While enumeration produced inconsistent results, it confirmed that SSH was not the primary entry point.
Attention then shifted to the Tomcat stack.
3️⃣ Tomcat Vulnerability Identification
Apache Tomcat version 9.0.30 is known to be affected by a critical vulnerability:
CVE-2020–1938 (Ghostcat)
This vulnerability allows attackers to read arbitrary files from the Tomcat server through the AJP connector when misconfigured.
Given that:
- Port 8009 was exposed
- Tomcat was publicly accessible
The system appeared to be a strong candidate for exploitation.
4️⃣ Exploitation via AJP (Ghostcat)
Exploiting the AJP vulnerability resulted in access to sensitive internal files.
During this process, credentials were disclosed:
skyfuck : 8730281lkjlkjdqlksalksThese credentials appeared to belong to a valid system user.
5️⃣ Initial Access via SSH
Using the recovered credentials, SSH authentication was attempted.
The login was successful, resulting in a stable user-level shell.
At this stage:
- Initial foothold obtained
user.txtflag retrieved and submitted
6️⃣ Post-Exploitation Enumeration
With user access established, standard privilege escalation checks were performed.
sudoaccess was not available for the current user- SUID binaries did not present immediate escalation paths
During filesystem enumeration, an encrypted PGP file was discovered.
7️⃣ Lateral Movement
The PGP file was extracted and cracked, revealing credentials for another user:
merlinUsing these credentials, access was switched to the merlin account.
Running sudo -l as this user revealed a critical misconfiguration.
8️⃣ Privilege Escalation
The zip binary was permitted to run with sudo privileges.
Although zip is not typically considered dangerous, it can be abused to execute arbitrary commands when misconfigured.
By leveraging known GTFOBins techniques, a root shell was spawned.
9️⃣ Root Access
- Root privileges confirmed
root.txtflag retrieved and submitted- Full system compromise achieved
This concluded the assessment.
🧠 Key Takeaways
- Exposed AJP connectors pose serious risks when paired with Tomcat
- Ghostcat remains a powerful example of configuration-based vulnerabilities
- Credential exposure often enables direct system access without brute force
- Encrypted files can enable lateral movement when cracked
- Seemingly harmless binaries can become escalation vectors under sudo
📬 Contact & Projects
Email: dakshbaweja20@gmail.com GitHub: https://github.com/sudo0xksh
🚀 Deteroid
Deteroid is a dedicated review platform for bug bounty hunters to share insights, rate programs, and collaborate on cybersecurity findings. Empowering ethical hackers with community-driven intel to hunt bugs smarter.
📸 Instagram: https://www.instagram.com/deteroids/