Jacobtheboss
Nmap
Checking our port 80 takes us to a blog post where the user jacob comments about the new content maanger for the company.
Other than this we do not have anything interesting regarding port 80. Checking out port 8080 we see the server is running JBoss.
Researching on how to find JBoss version we can check the followin path for this information.
/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system%3Atype%3DServer
Checking the VersionNumber field we see we are running version 5.0.0.GA. Researching exploits for this we find a popular exploitation python tool call jexboss.
Download and install as per instructions on the Github page then execute as follows:
Set up a netcat listener on the attacking machine and when prompted to do so enter your attacking machine IP and port. This should gives us a proper reverse shell.
After connecting I transferred over linpeas and executed. Soon linpeas finds that the binary /usr/bin/pingsys has a SUIT bit set.
Researching the binary on Google we come to the following post on stackexchange.
According to the top answer we can execute a command after pingsys which can be used to spawn a shell with the existing permissions of pingsys.
Run the following command on our shell to escalate to a root shell.
Last updated
Was this helpful?
