THM-Tony the Tiger-Writeup
6 min readFeb 18, 2025
Learn how to use a Java Serialisation attack in this boot-to-root
Find This Room: Tony the Tiger
If you want to get the Answer directly
Recon
Nmap Report
cat nmap-scan.txt
Starting Nmap 7.80 ( https://nmap.org ) at 2025-02-18 12:14 EET
Nmap scan report for 10.10.217.142
Host is up (0.11s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d6:97:8c:b9:74:d0:f3:9e:fe:f3:a5:ea:f8:a9:b5:7a (DSA)
| 2048 33:a4:7b:91:38:58:50:30:89:2d:e4:57:bb:07:bb:2f (RSA)
| 256 21:01:8b:37:f5:1e:2b:c5:57:f1:b0:42:b7:32:ab:ea (ECDSA)
|_ 256 f6:36:07:3c:3b:3d:71:30:c4:cd:2a:13:00:b5:25:ae (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Hugo 0.66.0
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Tony's Blog
1090/tcp open java-rmi Java RMI
|_rmi-dumpregistry: ERROR: Script execution failed (use -d to debug)
1091/tcp open java-rmi Java RMI
1098/tcp open java-rmi Java RMI
1099/tcp open java-object Java Object Serialization
| fingerprint-strings:
| NULL:
| java.rmi.MarshalledObject|
| hash[
| locBytest
| objBytesq
| #http://thm-java-deserial.home:8083/q
| org.jnp.server.NamingServer_Stub
| java.rmi.server.RemoteStub
| java.rmi.server.RemoteObject
| xpwA
| UnicastRef2
|_ thm-java-deserial.home
4446/tcp open java-object Java Object Serialization
5500/tcp open hotline?
| fingerprint-strings:
| DNSStatusRequestTCP:
| GSSAPI
| CRAM-MD5
| NTLM
| DIGEST-MD5
| thm-java-deserial
| DNSVersionBindReqTCP, SSLSessionReq:
| GSSAPI
| NTLM
| CRAM-MD5
| DIGEST-MD5
| thm-java-deserial
| GenericLines, NULL, RTSPRequest:
| DIGEST-MD5
| CRAM-MD5
| NTLM
| GSSAPI
| thm-java-deserial
| GetRequest:
| GSSAPI
| DIGEST-MD5
| NTLM
| CRAM-MD5
| thm-java-deserial
| HTTPOptions, TerminalServerCookie:
| GSSAPI
| NTLM
| DIGEST-MD5
| CRAM-MD5
| thm-java-deserial
| Help:
| DIGEST-MD5
| GSSAPI
| NTLM
| CRAM-MD5
| thm-java-deserial
| Kerberos:
| CRAM-MD5
| GSSAPI
| DIGEST-MD5
| NTLM
| thm-java-deserial
| RPCCheck:
| GSSAPI
| DIGEST-MD5
| CRAM-MD5
| NTLM
| thm-java-deserial
| TLSSessionReq:
| CRAM-MD5
| DIGEST-MD5
| NTLM
| GSSAPI
|_ thm-java-deserial
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
| Supported methods: GET HEAD POST PUT DELETE TRACE OPTIONS
| Potentially risky methods: PUT DELETE TRACE
|_ See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_ Potentially risky methods: PUT DELETE TRACE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Welcome to JBoss AS
8083/tcp open http JBoss service httpd
|_http-title: Site doesn't have a title (text/html).
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1099-TCP:V=7.80%I=7%D=2/18%Time=67B45D9A%P=x86_64-pc-linux-gnu%r(NU
SF:LL,17B,"\xac\xed\0\x05sr\0\x19java\.rmi\.MarshalledObject\|\xbd\x1e\x97
SF:\xedc\xfc>\x02\0\x03I\0\x04hash\[\0\x08locBytest\0\x02\[B\[\0\x08objByt
SF:esq\0~\0\x01xp\(\xc7\x80Hur\0\x02\[B\xac\xf3\x17\xf8\x06\x08T\xe0\x02\0
SF:\0xp\0\0\x004\xac\xed\0\x05t\0#http://thm-java-deserial\.home:8083/q\0~
SF:\0\0q\0~\0\0uq\0~\0\x03\0\0\0\xcd\xac\xed\0\x05sr\0\x20org\.jnp\.server
SF:\.NamingServer_Stub\0\0\0\0\0\0\0\x02\x02\0\0xr\0\x1ajava\.rmi\.server\
SF:.RemoteStub\xe9\xfe\xdc\xc9\x8b\xe1e\x1a\x02\0\0xr\0\x1cjava\.rmi\.serv
SF:er\.RemoteObject\xd3a\xb4\x91\x0ca3\x1e\x03\0\0xpwA\0\x0bUnicastRef2\0\
SF:0\x16thm-java-deserial\.home\0\0\x04J\x8be\x8d\xc1M\x876\xc53\xfe\xe6R\
SF:0\0\x01\x95\x18\x8a\x0e\xc4\x80\x02\0x");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port4446-TCP:V=7.80%I=7%D=2/18%Time=67B45DA0%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4,"\xac\xed\0\x05");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5500-TCP:V=7.80%I=7%D=2/18%Time=67B45DA0%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4B,"\0\0\0G\0\0\x01\0\x03\x04\0\0\0\x03\x03\x04\0\0\0\x02\x01\nDIGES
SF:T-MD5\x01\x08CRAM-MD5\x01\x04NTLM\x01\x06GSSAPI\x02\x11thm-java-deseria
SF:l")%r(GenericLines,4B,"\0\0\0G\0\0\x01\0\x03\x04\0\0\0\x03\x03\x04\0\0\
SF:0\x02\x01\nDIGEST-MD5\x01\x08CRAM-MD5\x01\x04NTLM\x01\x06GSSAPI\x02\x11
SF:thm-java-deserial")%r(GetRequest,4B,"\0\0\0G\0\0\x01\0\x03\x04\0\0\0\x0
SF:3\x03\x04\0\0\0\x02\x01\x06GSSAPI\x01\nDIGEST-MD5\x01\x04NTLM\x01\x08CR
SF:AM-MD5\x02\x11thm-java-deserial")%r(HTTPOptions,4B,"\0\0\0G\0\0\x01\0\x
SF:03\x04\0\0\0\x03\x03\x04\0\0\0\x02\x01\x06GSSAPI\x01\x04NTLM\x01\nDIGES
SF:T-MD5\x01\x08CRAM-MD5\x02\x11thm-java-deserial")%r(RTSPRequest,4B,"\0\0
SF:\0G\0\0\x01\0\x03\x04\0\0\0\x03\x03\x04\0\0\0\x02\x01\nDIGEST-MD5\x01\x
SF:08CRAM-MD5\x01\x04NTLM\x01\x06GSSAPI\x02\x11thm-java-deserial")%r(RPCCh
SF:eck,4B,"\0\0\0G\0\0\x01\0\x03\x04\0\0\0\x03\x03\x04\0\0\0\x02\x01\x06GS
SF:SAPI\x01\nDIGEST-MD5\x01\x08CRAM-MD5\x01\x04NTLM\x02\x11thm-java-deseri
SF:al")%r(DNSVersionBindReqTCP,4B,"\0\0\0G\0\0\x01\0\x03\x04\0\0\0\x03\x03
SF:\x04\0\0\0\x02\x01\x06GSSAPI\x01\x04NTLM\x01\x08CRAM-MD5\x01\nDIGEST-MD
SF:5\x02\x11thm-java-deserial")%r(DNSStatusRequestTCP,4B,"\0\0\0G\0\0\x01\
SF:0\x03\x04\0\0\0\x03\x03\x04\0\0\0\x02\x01\x06GSSAPI\x01\x08CRAM-MD5\x01
SF:\x04NTLM\x01\nDIGEST-MD5\x02\x11thm-java-deserial")%r(Help,4B,"\0\0\0G\
SF:0\0\x01\0\x03\x04\0\0\0\x03\x03\x04\0\0\0\x02\x01\nDIGEST-MD5\x01\x06GS
SF:SAPI\x01\x04NTLM\x01\x08CRAM-MD5\x02\x11thm-java-deserial")%r(SSLSessio
SF:nReq,4B,"\0\0\0G\0\0\x01\0\x03\x04\0\0\0\x03\x03\x04\0\0\0\x02\x01\x06G
SF:SSAPI\x01\x04NTLM\x01\x08CRAM-MD5\x01\nDIGEST-MD5\x02\x11thm-java-deser
SF:ial")%r(TerminalServerCookie,4B,"\0\0\0G\0\0\x01\0\x03\x04\0\0\0\x03\x0
SF:3\x04\0\0\0\x02\x01\x06GSSAPI\x01\x04NTLM\x01\nDIGEST-MD5\x01\x08CRAM-M
SF:D5\x02\x11thm-java-deserial")%r(TLSSessionReq,4B,"\0\0\0G\0\0\x01\0\x03
SF:\x04\0\0\0\x03\x03\x04\0\0\0\x02\x01\x08CRAM-MD5\x01\nDIGEST-MD5\x01\x0
SF:4NTLM\x01\x06GSSAPI\x02\x11thm-java-deserial")%r(Kerberos,4B,"\0\0\0G\0
SF:\0\x01\0\x03\x04\0\0\0\x03\x03\x04\0\0\0\x02\x01\x08CRAM-MD5\x01\x06GSS
SF:API\x01\nDIGEST-MD5\x01\x04NTLM\x02\x11thm-java-deserial");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/18%OT=22%CT=1%CU=41415%PV=Y%DS=2%DC=T%G=Y%TM=67B45DC
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=108%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST1
OS:1NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
OS:(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1025/tcp)
HOP RTT ADDRESS
1 135.13 ms 10.8.0.1
2 135.66 ms 10.10.217.142TCP port scan, NMAP scan shows the HTTP (80), HTTP (8080) port, the SSH (22) open port, among other ports.
We found a page running in port 80.
FFUF Report
On the page we find an image, we download it and use strings to look for our flag.
Let’s take a look at the 8080 port
FFUF Report
As we could see on the page on port 8080 you are running JBOSS, and we see the version in /JBOSSWS /.
We use Jexboss to verify if the machine is vulnerable and automate an attack. It shows us that it has several vulnerabilities.
Intial Access
While our tool verifies the vulnerabilities, it also gives us the option to exploit the machine, in this case we use JMXinvokerservlet to obtain an reverse shell, entering our IP and the port that we have to listen to Netcat.
NetCat
Post-Exploitation
USER — CMNATIC
We managed to get an reverse shell with the CMNATIC user and our flag user.txt in the main jBOSS folder.
USER — JBOSS
In the folder of this user we find a note in which it contains a password, when using it in the SSH service we managed to obtain a Shell.
SSH
PRIVILEGE ESCALATION
We make a small enumeration with sudo -l -l and we see that we have root permits (sudo) to execute the command
Use GTOBins
We managed to get a root shell, we find our last flag root.txt but apparently it is coded.
When decoding our flag, we return a hash, we use crackstation to obtain the text.
Follow Me : Mohamed Ali
For Support : Mohamed Ali
Happy Hacking
