TryHackMe write-up: Jacob the Boss

 

Introduction

 

This is my write-up for TryHackMe's Jacob The Boss Room 

Enumeration

Using nmap, I saw that this box has several ports open.



Checking port 80 using my browser, I saw what looked to be a blog using Dotclear.



And checking port 8080, it turns out the target is also running JBoss.


Exploitation

Searching for a JBoss exploit, I came across the JexBoss tool. It checks for and exploits Java Deserialization vulnerabilities.

After downloading the tool and installing it's prerequisites, I ran the tool using the following command:
    python jexboss.py -host http://jacobtheboss.box:8080/



Checking my netcat listener, I found a connection from the target.



Privilege Escalation

Searching for a file whose SUID bit was set, I came across a peculiar file.


Checking the code against Ghidra, I found that it runs the ping command with UID=0.



Looking at the source code, it seemed vulnerable to a command injection attack.  Testing this it out, I found I could run commands as root.



I then injected /bin/sh to get an interactive shell as root.






at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)