From 6e00a3a621b9defec44a2187f0b8ce9f9ca09050 Mon Sep 17 00:00:00 2001
From: AbdullahRizwan101 <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Sun, 15 Nov 2020 01:46:45 +0500
Subject: [PATCH] Add files via upload
---
TryHackMe/Tony_The_Tiger.md | 202 ++++++++++++++++++++++++++++++++++++
1 file changed, 202 insertions(+)
create mode 100644 TryHackMe/Tony_The_Tiger.md
diff --git a/TryHackMe/Tony_The_Tiger.md b/TryHackMe/Tony_The_Tiger.md
new file mode 100644
index 0000000..f4d1fb4
--- /dev/null
+++ b/TryHackMe/Tony_The_Tiger.md
@@ -0,0 +1,202 @@
+# TryHackMe-Tony The Tiger
+
+## NMAP
+
+```
+Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-14 20:08 PKT
+Nmap scan report for 10.10.127.87
+Host is up (0.15s latency).
+Not shown: 989 closed ports
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 1024 d6:97:8c:b9:74:d0:f3:9e:fe:f3:a5:ea:f8:a9:b5:7a (DSA)
+| 2048 33:a4:7b:91:38:58:50:30:89:2d:e4:57:bb:07:bb:2f (RSA)
+| 256 21:01:8b:37:f5:1e:2b:c5:57:f1:b0:42:b7:32:ab:ea (ECDSA)
+|_ 256 f6:36:07:3c:3b:3d:71:30:c4:cd:2a:13:00:b5:25:ae (ED25519)
+80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
+|_http-generator: Hugo 0.66.0
+|_http-server-header: Apache/2.4.7 (Ubuntu)
+|_http-title: Tony's Blog
+1090/tcp open java-rmi Java RMI
+|_rmi-dumpregistry: ERROR: Script execution failed (use -d to debug)
+1091/tcp open java-rmi Java RMI
+1098/tcp open java-rmi Java RMI
+1099/tcp open java-object Java Object Serialization
+| fingerprint-strings:
+| NULL:
+| java.rmi.MarshalledObject|
+| hash[
+| locBytest
+| objBytesq
+| xpCCB
+| xpCCB
+| #http://thm-java-deserial.home:8083/q
+| org.jnp.server.NamingServer_Stub
+| java.rmi.server.RemoteStub
+| java.rmi.server.RemoteObject
+| xpwA
+| UnicastRef2
+|_ thm-java-deserial.home
+4446/tcp open java-object Java Object Serialization
+5500/tcp open hotline?
+| fingerprint-strings:
+| DNSStatusRequestTCP:
+| GSSAPI
+| NTLM
+| CRAM-MD5
+| DIGEST-MD5
+| thm-java-deserial
+| DNSVersionBindReqTCP, GenericLines, NULL:
+| CRAM-MD5
+| GSSAPI
+| NTLM
+| DIGEST-MD5
+| thm-java-deserial
+| GetRequest:
+| DIGEST-MD5
+| CRAM-MD5
+| GSSAPI
+| NTLM
+| thm-java-deserial
+| HTTPOptions:
+| DIGEST-MD5
+| GSSAPI
+| CRAM-MD5
+| NTLM
+| thm-java-deserial
+| Help:
+| NTLM
+| GSSAPI
+| DIGEST-MD5
+| CRAM-MD5
+| thm-java-deserial
+| Kerberos:
+| CRAM-MD5
+| DIGEST-MD5
+| GSSAPI
+| NTLM
+| thm-java-deserial
+| RPCCheck:
+| NTLM
+| DIGEST-MD5
+| CRAM-MD5
+| GSSAPI
+| thm-java-deserial
+| RTSPRequest:
+| GSSAPI
+| NTLM
+| DIGEST-MD5
+| CRAM-MD5
+| thm-java-deserial
+| SSLSessionReq:
+| GSSAPI
+| DIGEST-MD5
+| NTLM
+| CRAM-MD5
+| thm-java-deserial
+| TLSSessionReq:
+| GSSAPI
+| DIGEST-MD5
+| NTLM
+| thm-java-deserial
+| TerminalServerCookie:
+| DIGEST-MD5
+| CRAM-MD5
+| NTLM
+| GSSAPI
+|_ thm-java-deserial
+8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
+| ajp-methods:
+| Supported methods: GET HEAD POST PUT DELETE TRACE OPTIONS
+| Potentially risky methods: PUT DELETE TRACE
+|_ See https://nmap.org/nsedoc/scripts/ajp-methods.html
+8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
+| http-methods:
+|_ Potentially risky methods: PUT DELETE TRACE
+|_http-open-proxy: Proxy might be redirecting requests
+|_http-server-header: Apache-Coyote/1.1
+|_http-title: Welcome to JBoss AS
+8083/tcp open http JBoss service httpd
+|_http-title: Site doesn't have a title (text/html).
+```
+## PORT 80
+
+
+
+We see an image so let's see if there is any stegongraphy involved in this
+
+
+
+I tried to run `steghide` to extract something from the image but failed as there is something wrong with the bytes in the image
+
+
+
+Run `strings` on the image
+
+
+
+
+Now download `jboss.zip` which is provided in the room
+
+
+
+## PORT 8080
+
+
+
+There is an `administrative console` and try to login with default credentials which are `admin`:`admin`
+
+
+
+
+
+
+
+
+
+Now search for the `jboss` exploit and on the github page you'll find it
+
+
+
+Run it like it does in the picture
+
+
+
+
+
+Looking in `jboss` directory we'll find a password
+
+
+
+## Privilege Escalation
+
+
+
+We can see that we can run `find` as `sudo` so we can run find to execute a command to add `jboss` in sudoers
+
+`jboss@thm-java-deserial:~$ sudo /usr/bin/find . -exec usermod -aG jboss \;`
+
+
+```
+jboss@thm-java-deserial:~$ sudo -l
+Matching Defaults entries for jboss on thm-java-deserial:
+ env_reset, mail_badpass,
+ secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+User jboss may run the following commands on thm-java-deserial:
+ (ALL) NOPASSWD: /usr/bin/find
+ (ALL : ALL) ALL
+jboss@thm-java-deserial:~$ sudo bash
+[sudo] password for jboss:
+root@thm-java-deserial:~#
+```
+To get the root flag , it is in `base64` encoded
+
+
+
+Now let's use `hashcat` it is in `md5 raw` so we can crack it
+
+
+
+