Tony The Tiger

Support Material

Reconnaissance

Lets run nmap scans to find open ports and services

Find Tony's flag

Lets visit the webpage

Reading the blogs, we can read that the photos might have a deeper meaning to them, so lets download the images to our machine and use our steganography skills to find hidden information in the images.

The first image can be found when we click read more on the second blog

And the next picture can be found on the first blog

We can go to the source code and the get the location of the images so that we can download them to our machine

We get nothing with steghide

Lets use the strings command

We have the flag

Exploit

Once downloaded, lets unzip this file

Lets now go check out the application running on port 8080

Its called JBoss. Lets try to login , lets click Administration Console

We do not have credentials so lets go to google and look for default creds and see if they work.

Lets see if these work

And they do , we are logged in. Lets go to Google to look for vulnerabilities for the application.

Lets clone this github repo and use this tool

We have some requirements that we need to download, so lets do that

Lets run the exploit

python jexboss.py 10.10.121.22:8080

We can run command on the machine, lets run a reverse shell script to get a reverse shell on the machine.

Lets first start a Netcat listener

Lets now run the command

We have a shell on the machine, lets stabilize the shell

Looking through the machine, we see this interesting file

We have the password for the user JBoss, lets switch users

Privilege Escalation

Lets run sudo -l to see what we can run as other users

Looks like we can run the find command. Lets go to GTFOBins and find the command to get root on the machine.

Lets run this command

We are root.

The flag for task 6 can be found here

And the final flag here

Its base64 and md5 encoded so you can decode it on your own :)