# TryHackMe-Tony The Tiger ## NMAP ``` Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-14 20:08 PKT Nmap scan report for 10.10.127.87 Host is up (0.15s latency). Not shown: 989 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 d6:97:8c:b9:74:d0:f3:9e:fe:f3:a5:ea:f8:a9:b5:7a (DSA) | 2048 33:a4:7b:91:38:58:50:30:89:2d:e4:57:bb:07:bb:2f (RSA) | 256 21:01:8b:37:f5:1e:2b:c5:57:f1:b0:42:b7:32:ab:ea (ECDSA) |_ 256 f6:36:07:3c:3b:3d:71:30:c4:cd:2a:13:00:b5:25:ae (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: Hugo 0.66.0 |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Tony's Blog 1090/tcp open java-rmi Java RMI |_rmi-dumpregistry: ERROR: Script execution failed (use -d to debug) 1091/tcp open java-rmi Java RMI 1098/tcp open java-rmi Java RMI 1099/tcp open java-object Java Object Serialization | fingerprint-strings: | NULL: | java.rmi.MarshalledObject| | hash[ | locBytest | objBytesq | xpCCB | xpCCB | #http://thm-java-deserial.home:8083/q | org.jnp.server.NamingServer_Stub | java.rmi.server.RemoteStub | java.rmi.server.RemoteObject | xpwA | UnicastRef2 |_ thm-java-deserial.home 4446/tcp open java-object Java Object Serialization 5500/tcp open hotline? | fingerprint-strings: | DNSStatusRequestTCP: | GSSAPI | NTLM | CRAM-MD5 | DIGEST-MD5 | thm-java-deserial | DNSVersionBindReqTCP, GenericLines, NULL: | CRAM-MD5 | GSSAPI | NTLM | DIGEST-MD5 | thm-java-deserial | GetRequest: | DIGEST-MD5 | CRAM-MD5 | GSSAPI | NTLM | thm-java-deserial | HTTPOptions: | DIGEST-MD5 | GSSAPI | CRAM-MD5 | NTLM | thm-java-deserial | Help: | NTLM | GSSAPI | DIGEST-MD5 | CRAM-MD5 | thm-java-deserial | Kerberos: | CRAM-MD5 | DIGEST-MD5 | GSSAPI | NTLM | thm-java-deserial | RPCCheck: | NTLM | DIGEST-MD5 | CRAM-MD5 | GSSAPI | thm-java-deserial | RTSPRequest: | GSSAPI | NTLM | DIGEST-MD5 | CRAM-MD5 | thm-java-deserial | SSLSessionReq: | GSSAPI | DIGEST-MD5 | NTLM | CRAM-MD5 | thm-java-deserial | TLSSessionReq: | GSSAPI | DIGEST-MD5 | NTLM | thm-java-deserial | TerminalServerCookie: | DIGEST-MD5 | CRAM-MD5 | NTLM | GSSAPI |_ thm-java-deserial 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: | Supported methods: GET HEAD POST PUT DELETE TRACE OPTIONS | Potentially risky methods: PUT DELETE TRACE |_ See https://nmap.org/nsedoc/scripts/ajp-methods.html 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 | http-methods: |_ Potentially risky methods: PUT DELETE TRACE |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache-Coyote/1.1 |_http-title: Welcome to JBoss AS 8083/tcp open http JBoss service httpd |_http-title: Site doesn't have a title (text/html). ``` ## PORT 80 We see an image so let's see if there is any stegongraphy involved in this I tried to run `steghide` to extract something from the image but failed as there is something wrong with the bytes in the image Run `strings` on the image Now download `jboss.zip` which is provided in the room ## PORT 8080 There is an `administrative console` and try to login with default credentials which are `admin`:`admin` Now search for the `jboss` exploit and on the github page you'll find it Run it like it does in the picture Looking in `jboss` directory we'll find a password ## Privilege Escalation We can see that we can run `find` as `sudo` so we can run find to execute a command to add `jboss` in sudoers `jboss@thm-java-deserial:~$ sudo /usr/bin/find . -exec usermod -aG jboss \;` ``` jboss@thm-java-deserial:~$ sudo -l Matching Defaults entries for jboss on thm-java-deserial: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User jboss may run the following commands on thm-java-deserial: (ALL) NOPASSWD: /usr/bin/find (ALL : ALL) ALL jboss@thm-java-deserial:~$ sudo bash [sudo] password for jboss: root@thm-java-deserial:~# ``` To get the root flag , it is in `base64` encoded Now let's use `hashcat` it is in `md5 raw` so we can crack it