Open Ano1X8 opened 4 years ago
CMNatic
commented
4 years ago Love this! Thanks for the write-up, especially taking the "non-conventional" route. I'll approve the writeup, just going to let the room age a couple of more days to give people a chance! Otherwise, I would approve without hesitant ~CMNatic (Creator)
CMNatic
commented
4 years ago Also +10 for the reference ;)
Ano1X8
commented
4 years ago Thank you very much that means a lot to me and I really appreciate that. Absolutely and sounds great, I’ll wait a few more days before posting/tagging and giving proper credits (I’m Ano1X8 on Twitter). Thank you very much for taking the time to read/create and very much looking forward to more. I hope alls great by you and yours, stay safe and take care.
My pleasure for the reference/shout-outs I know a lot of time/effort goes into these and had a lot of fun with this one.
Sent from my iPhone
On Apr 13, 2020, at 6:19 AM, Ben Eriksson notifications@github.com wrote:
Love this! Thanks for the write-up, especially taking the "non-conventional" route. I'll approve the writeup, just going to let the room age a couple of more days to give people a chance! Otherwise, I would approve without hesitant ~CMNatic (Creator)
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.
A recent hackitivty from www.tryhackme.com that I had a lot of fun with. Since this is a recent /live challenge I will edit out certain details.
Start off by deploying the box and receiving our IP for the session. Once we do, we'll visit the site and run a few scans to see what's going on.
Visiting the site, we can see it's a blog with a couple of entries; nothing special when viewing the source code, nothing for robots.txt neither login/other extensions. However, we get a small hint, the photos have a "deeper meaning":
After downloading each file, I first tried to run steghide against it, --extract -sf to no avail on either. Another command immediately came to mind and boom found our first flag.
Our nmap scan has finished and has returned quite a few opened ports:
After completing several recent and older challenges, my mind automatically went to a few different routes, but, after getting some decent info from the site, let's checkout port 8080 first and go from there.
Visiting the port takes us to a JBoss landing page/portal; let's see if we can access using default credentials.
Yes we did! Now we have control over Administration Console, JMX Console and the JBoss Web Services console. After clicking around I saw the option to load/deploy a war file, which is definitely another route to take, but after googling the service exploit, I came across an extremely useful tool.
SOURCE https://github.com/joaomatosf/jexboss
Since gobuster/nikto did not return anything useful this time, let's halt them, run the script aaannnddddd success! We're in...sorry I couldn't resist.
After running a few commands, turns out we can view certain things, however, most commands weren't running, even upgrading the shell. Fret not though, after reading a bit more on github, turns out we can perform a remote connection. Let's setup a listener and good to go!
We are logged in as cmnatic, after taking a quick peep around, we find a "to-do.txt"
Thanks for the note! Heading over to JBoss we find another note
Again, many thanks, now let's switch over to JBoss and check for sudo privileges
No password required...GTFObins time!
SOURCE https://gtfobins.github.io/
After FINDing what we're looking for, typing it in the command line will grant us root permissions and boom rooted.
Now heading over to get root.txt and I can automatically tell the type of encoding, so let's get it decoded and wrap it up. After decoding it, let's output to a file (hash) and through it through hashcat using rockyou:
A very quick return and hashcat cracked our target and provided us with the solution to the final flag (root.txt).
There are other methods to attacking this box and maybe after uploading several other projects, I will try to deploy a war file to gain an initial foothold. Regardless, had a lot of fun on this fairly simple challenge, thank you THM and cmnatic for creating this.