search
GitHubPsMapExec

Jacobtheboss

hashtag
Nmap

sudo nmap 10.10.166.109 -p- -sS -sV          

PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH 7.4 (protocol 2.0)
80/tcp    open  http         Apache httpd 2.4.6 ((CentOS) PHP/7.3.20)
111/tcp   open  rpcbind      2-4 (RPC #100000)
1090/tcp  open  java-rmi     Java RMI
1098/tcp  open  java-rmi     Java RMI
1099/tcp  open  java-object  Java Object Serialization
3306/tcp  open  mysql        MariaDB (unauthorized)
3873/tcp  open  java-object  Java Object Serialization
4444/tcp  open  java-rmi     Java RMI
4445/tcp  open  java-object  Java Object Serialization
4446/tcp  open  java-object  Java Object Serialization
4457/tcp  open  tandem-print Sharp printer tandem printing
4712/tcp  open  msdtc        Microsoft Distributed Transaction Coordinator (error)
4713/tcp  open  pulseaudio?
8009/tcp  open  ajp13        Apache Jserv (Protocol v1.3)
8080/tcp  open  http         Apache Tomcat/Coyote JSP engine 1.1
8083/tcp  open  http         JBoss service httpd
22764/tcp open  unknown
45592/tcp open  java-rmi     Java RMI
45722/tcp open  unknown
circle-info

Add jacobtheboss.box to /etc/hosts before starting

Checking our port 80 takes us to a blog post where the user jacob comments about the new content maanger for the company.

Other than this we do not have anything interesting regarding port 80. Checking out port 8080 we see the server is running JBoss.

JBoss is a application server which you can read more about here: https://www.dnsstuff.com/what-is-jboss-application-serverarrow-up-right

Researching on how to find JBoss version we can check the followin path for this information.

/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system%3Atype%3DServer

Checking the VersionNumber field we see we are running version 5.0.0.GA. Researching exploits for this we find a popular exploitation python tool call jexboss.

LogoGitHub - joaomatosf/jexboss: JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation ToolGitHubchevron-right

Download and install as per instructions on the Github page then execute as follows:

Set up a netcat listener on the attacking machine and when prompted to do so enter your attacking machine IP and port. This should gives us a proper reverse shell.

After connecting I transferred over linpeas and executed. Soon linpeas finds that the binary /usr/bin/pingsys has a SUIT bit set.

Researching the binary on Google we come to the following post on stackexchange.

LogoPrivilege Escalation: C functions setuid(0) with system() not working in LinuxInformation Security Stack Exchangechevron-right

According to the top answer we can execute a command after pingsys which can be used to spawn a shell with the existing permissions of pingsys.

Run the following command on our shell to escalate to a root shell.

Last updated