Tony The Tiger [No Spoilers]

Amec0e
6 min readNov 24, 2020

--

Tony The Tiger

Difficulty: Easy

So before we start there is a few things I want to mention.

1: The first part of these tasks are mainly reading, the answers are literally right in front of you. So we will instead start from Task 3 “Reconnaissance” where we start actually running tools and getting outputs.

2: In Task 5 “Exploit!” me and many others could not get this to work so instead save yourself A LOT of time and trouble, instead get the Jexboss tool from the link below.

Jexboss: https://github.com/joaomatosf/jexboss

With that said let’s start!

Firstly our good ol’ nmap:

Nmap
Nmap

Okay well that’s a fair few services so let’s wait for nmap to complete fully and investigate some of the outputs:

Nmap

Well we can see what service is running on port 8080 and we can safetly assume the “Front-end” application running is that found in the “http-title”

We also have another web server running on port 80:

Nmap

We can see from the title it will most likely be a blog styled website so let’s first check that out!

Tonys Blog

Well one thing I noticed is the question in Task 4Find Tony’s Flag” clearly states about having an unbiased opinion.

And first thing I noticed here was a reference in the first post to a possible biast opinion, so I want to check out that first initial post I can see.

Upon looking down the post I see an image, now if you remember from the room’s tags it has steganography and cryptography so we know coming into this we will need to be somewhat familiar with these to be able to complete this room:

frosted flakes

It also hints to anything that could allow you to hide data inside such as image files, and so I want to get this image and examine it further:

wget

Now we have that let’s run a few things here on this.

The one overlooked and probably easily forgotten command to use here is “strings,” this allows you view printable and potentially readable strings essentially.

So that will be where I should check first before heading to steganography tools and potentially missing interesting information:

strings

Well sometimes it seems you will just get a lot of useless jargon, but in the instance of a CTF it can also have other things like perhaps tony’s flag?:

strings

So now we have that we can approach the next frustrating task, Task 5Exploit!” So I will assume if you read the beginning you already have git cloned the Jexboss tool and it’s ready to use.

With that said let’s continue!

At this point I want to run gobuster on both port 80 and port 8080 of the webservers to see if we can find anything additional.

Well we found additional directories but nothing that was of interest so to save you time from digging in all the wrong places.

Let’s move on with the exploitation using jexxboss:

jexboss

NOTE: This was a little fiddly and I had to run this a few times for it to obtain the shell.

jexboss
jexboss

Something I thought was kind of neat here is they give you the command for a bash reverse shell so you can simply setup a nc listener, execute the bash reverse shell and work from there instead of within this python script.

So let’s do just that and send ourselves a bash reverse shell:

nc listener

Great! Now we can work from here to do our enumeration to root and get the flags along the way.

Firstly upgrade the shell:

python tty

Then the users:

ls -la

Then the system-wide crontab:

crontab

Nothing interesting here.

The sudo-l command:

sudo -l

And we cannot use sudo -l as we don’t know this users password so let’s check out the directories of the other users.

First we are going to start with jboss:

ls -la

We can see 2 files here, 1 called “note” and another called .jboss.txt that’s hidden.

So let’s check out the hidden file:

.jboss.txt

And we have the Jboss user flag!

Now to check the note:

note

Okay cool! We got a password for the user Jboss so with that in mind we can now su as jboss:

su

Awesome and we are now the user Jboss, now to try doing sudo -l which we could not do before:

sudo -l

Okay so we have find here able to run as root and without a password, so can you guess what we do next?

That’s right!

To GTFOBins and see if we can find a sudo exploit for the find command:

GTFOBins

And we find one! Now to try and gain root!

root exploit

And now we are root we can gain the last flag located in /root/root.txt:

root.txt

To me this looks like a base64 string so let’s use Base64decode.org to decode this:

base64decode

https://www.base64decode.org/

And we have what looks like a hash, so let’s use hash-identifier to find out what the possible hash could be:

hash-identifier

And we can see it is very likely to be a MD5 or MD4 so with that in mind let’s try to crack this with rockyou.txt and hashcat:

hashcat

And we get a match back and our final root flag!

hashcat found

And we are done! Congratulations and thank you for reading!

Please feel free to follow me on twitter if you like the write up: https://twitter.com/amec0e

--

--

Amec0e
Amec0e

Written by Amec0e

Red Teamer | CTF'er | Pentesting Learner

No responses yet