When we search for vulnerabilities for Tomcat 9.0.30, there is the "auxiliary/admin/http/tomcat_ghostcat" module in metasploit.
Ghostcat is a vulnerability in Tomcat servers that allows access to JavaServer Pages (JSP) files. This vulnerability allows an attacker to gain unauthorized access to sensitive data or other important information on the server.
Let's launch the attack.
When we look at the result, we see user information.
Let's try to log in to SSH with this information.
Login successful.
scp skyfuck@10.10.53.70:/home/skyfuck/* .
Let's download the files to our own machine with the command above
Let's convert our .asc file to hash with “gpg2john” command
Now we can crack it with john.
Lets import .asc file with “gpg –import” command.
We can view the file with the passphrase we obtained with the “gpg –decrypt credential.pgp” command.
We can log in to Merlin.
We see that the Merlin user can run the zip command as root with sudo.
