PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
1090/tcp open ff-fms
1098/tcp open rmiactivation
1099/tcp open rmiregistry
3306/tcp open mysql
3873/tcp open fagordnc
4444/tcp open krb524
4445/tcp open upnotifyp
4446/tcp open n1-fwp
4457/tcp open prRegister
4712/tcp open unknown
4713/tcp open pulseaudio
8009/tcp open ajp13
8080/tcp open http-proxy
8083/tcp open us-srv
36348/tcp open unknown
40701/tcp open unknown
44894/tcp open unknown
Yikes! I didn’t run a detail scan.
8080
At http://jacobtheboss.box:8080/ we find JBoss, and if we click through to http://jacobtheboss.box:8080/web-console/ we find, amongst other things:
JBoss™ Application Server
Version: 5.0.0.GA (build: SVNTag=JBoss_5_0_0_GA date=200812041721)
Version Name: Morpheus
Built on: December 4 2008
So this is old as anything; who wants to bet it’s our way in?
Searchsploit
Seems a likely candidate. I mirror it and try per the instructions:
But it doesn’t seem happy; I hardcode the port in the script and make a minor change to the argument parsing and this sorts it out, and I get a shell (of sorts).
For some reason I couldn’t get the shell I had to send me a ‘normal’ reverse shell, so instead I created an authorized_keys file and copied over my SSH public key. From there I could SSH in as Jacob.
While I was mucking around with this I also logged into the MySQL server on the host and grabbed Jacob’s hash from the DotClear database (it was running on Port 80); couldn’t break it though. Since I couldn’t break it I decided to change it:
This was just ‘password’ from https://bcrypt-generator.com/ but it didn’t help at all. Lol.
KOTH
I also had a go at this. It doesn’t award any points and there are apparently 9 flags. I rooted the box and found 7 of them.
My notes look like below. Essentially we got a hint about weak passwords from the FTP server with anon access, I tried Hydra and got in, then Python had the setuid capability set so that was root. I ran around and found most of the flags. The first flag was on the FTP server.