TOMCAT

Introduction
Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta
Expression Language, and WebSocket technologies. It provides a "pure Java" HTTP web server
environment in which Java code can also run.
Enumeration
The first thing to do is to run a TCP Nmap scan against the common ports, and using the
following flags:
-sC to run default scripts
-sV to enumerate applications versions

As a result, we got: SSH (22), DNS (53), Apache Jserv (8009), Apache Tomcat (8080)
Enumerating HTTP
After some few enumerations on the ports and when consulting HackTricks on the Apache JServ
Pentesting section, it mentions a known vulnerability called Ghostcat, a local file inclusion that
can allow attackers to obtain the contents of local files on the servers, although it is somewhat
limited.
CVE-2020-1938 – “GHOSTCAT”
Metasploit
I used Metasploit to navigate about this vulnerability:

Let’s explain a little so if the AJP port is exposed which is in our example (8009), Tomcat might
be susceptible to the Ghostcat vulnerability.

Ghostcat is a LFI vulnerability, but somewhat restricted: only files from a certain path can be
pulled. Still, this can include files like WEB-INF/web.xml which can leak important information
like credentials for the Tomcat interface, depending on the server setup.
SSH Login
After reading the web.xml file we found out that there are some user credentials
Which is a user on the machine, so, I tried to connect on SSH.

After some few enumerations on the machine, we found the user.txt flag on user merlin and I
tried to grab the two files from the other user which appears to be a PGP private key.
So, I run a python server on the machine a specify the port to grab the two files:

I tried to decrypt the credential.pgp file and it requires a password, so I used john to extract the
hash from the key using the GPG2John and after that I cracked the previously found hashes
with the wordlist. Which is a password for the user merlin.

Privilege escalation:
When running sudo -l, it appears that the merlin user can execute the Zip binary as root, after
some few searches on GTFOBins, it appears this can easily be exploited to escalate privileges.

According to the Zip man page the -T flag is used to test the integrity of the archive file being
created, and the -TT command can be used in combination with it to execute a command
against the archive.