Well, the flaw that makes up this box is the reproduction found in the production environment of a customer a while ago, the verification in season consisted of two steps, the last one within the environment, we hit it head-on and more than 15 machines were vulnerable that together with the development team we were able to correct and adapt.
- First of all, add the jacobtheboss.box address to your hosts file.
- Edit /etc/hosts and add jacobtheboss.box into it.
I did a Nmap scan and the results were as follows:
As you can see in the above results, we have got a lot of ports to enumerate.
Let’s start off with port number 80 which is running on Apache Server.
Dirb scan results:
I also tried going through the LICENSE file to see any kind of version used by the web server, but found nothing.
Nikto scan results:
The nikto scan results gave an useful output i.e /admin directory and after going through that I was able to get the admin login page.
Here, I tried using default username and password -> admin:admin / admin:password.
Let’s enumerate the remaining ports.
Now here I tried to search for serveral tomcat exploits.Unfortunately none of them worked.
There’s another web server running on port 8080 and it contains the jmx-console of Jboss server.
One thing we can do now is google what JMX is and can look up for any exploits.
What exactly is JBoss service?
JBoss application server is an open-source platform, developed by Red Hat, used for implementing Java applications and a wide variety of other software applications. You can build and deploy Java services to be scaled to fit the size of your business.
JBoss has this administrator panel known as JMX Console. It has same functionality as that of apache Tomcat service.
As apache tomcat is often deployed with weak or default credentials.Wrt that Jboss allows the administrators to upload WAR(Web application archive) files remotely through the admin console.
This can lead the attacker to get access to the system using a reverse shell malicious script.
I am gonna try using the automated script to get the malicious code into the server.
Clone the repo and cd into jexboss.
Usage: python jexboss.py –host http://jacktheboss.box :8080
Before you run this script, make sure you fire up the netcat listener.
To get more stable shell we can use SSH.
Use the command ssh-keygen to generate a private and a public key pair.This will get stored in the root directory under ~/.ssh
You have to take the id_rsa.pub and copy it in the authorized_keys into the victim’s machine.
Now change the permissions of our private key to 600 and connect to SSH.
Firstly I tried using sudo –l to see if the Jacob user has got any sudo rights.
I got stuck here for a while, even fired up linpeas script to get anything that can be helpful.
Then to check any SUID bit set files I used the following command:
Did a quick google search for pingsys and found a very interesting article.
Thank you 😉 🚀
Happy Hacking 💻…