Jacobtheboss Tryhackme Walkthrough

Well, the flaw that makes up this box is the reproduction found in the production environment of a customer a while ago, the verification in season consisted of two steps, the last one within the environment, we hit it head-on and more than 15 machines were vulnerable that together with the development team we were able to correct and adapt.

jacobtheboss

IP: 10.10.66.61

  • First of all, add the jacobtheboss.box address to your hosts file.
/etc/hosts

I did a Nmap scan and the results were as follows:

nmap scan results

As you can see in the above results, we have got a lot of ports to enumerate.

Let’s start off with port number 80 which is running on Apache Server.

Dirb scan results:

dirb scan results

I also tried going through the LICENSE file to see any kind of version used by the web server, but found nothing.

LICENSE

Nikto scan results:

Nikto scan results

The nikto scan results gave an useful output i.e /admin directory and after going through that I was able to get the admin login page.

Admin login page

Here, I tried using default username and password -> admin:admin / admin:password.

Let’s enumerate the remaining ports.

Jboss service

Now here I tried to search for serveral tomcat exploits.Unfortunately none of them worked.

There’s another web server running on port 8080 and it contains the jmx-console of Jboss server.

JMX Console

One thing we can do now is google what JMX is and can look up for any exploits.

What exactly is JBoss service?

JBoss application server is an open-source platform, developed by Red Hat, used for implementing Java applications and a wide variety of other software applications. You can build and deploy Java services to be scaled to fit the size of your business.

JBoss has this administrator panel known as JMX Console. It has same functionality as that of apache Tomcat service.

As apache tomcat is often deployed with weak or default credentials.Wrt that Jboss allows the administrators to upload WAR(Web application archive) files remotely through the admin console.

This can lead the attacker to get access to the system using a reverse shell malicious script.

I got this beautiful article that explains the vulnerability both manually and with a script.

jexboss automated script

I am gonna try using the automated script to get the malicious code into the server.

Clone the repo and cd into jexboss.

Usage: python jexboss.py –host http://jacktheboss.box :8080

VULNERABLE

Before you run this script, make sure you fire up the netcat listener.

netcat listener
user.txt

To get more stable shell we can use SSH.

Use the command ssh-keygen to generate a private and a public key pair.This will get stored in the root directory under ~/.ssh

You have to take the id_rsa.pub and copy it in the authorized_keys into the victim’s machine.

Now change the permissions of our private key to 600 and connect to SSH.

ssh login

Privilege Escalation:

Firstly I tried using sudo –l to see if the Jacob user has got any sudo rights.

I got stuck here for a while, even fired up linpeas script to get anything that can be helpful.

Then to check any SUID bit set files I used the following command:

SUID files

Did a quick google search for pingsys and found a very interesting article.

Escalating privileges using pingsys
root.txt

Thank you 😉 🚀

Happy Hacking 💻…

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store