To access material, start machines and answer questions login.
Firstly, ensure you are connected to the TryHackMe network via either the VPN Service or Kali Instance (subscribed members only). If you are not using the Kali Instance, you can verify connectivity to the THM network on the "access" page. Or if you are new, you can learn how to connect by visiting the OpenVPN Room.
Please allow up towards five minutes for this instance to fully boot - even as a subscribed member. This is not a TryHackMe or AWS bottleneck, rather Java being Java and the web application taking time to fully initialise after boot.
Your Instance IP Address: MACHINE_IP
Deploying now and proceeding with the material below should allow for plenty of time for the instance to fully boot.
I have deployed my Instance!
Whilst this is a CTF-style room, as the approach to ultimately "rooting" the box is new to TryHackMe, I will explain it a little and leave you to experiment with. There are flags laying around that aren't focused on the CVE, so I still encourage exploring this room. Explaining the whole-theory behind it is a little out of scope for this. However, I have provided some further reading material that may help with the room - or prove interesting!
What is "Serialisation"?
Serialisation at an abstract is the process of converting data - specifically "Objects" in Object-Oriented Programming (OOP) languages such as Java into lower-level formatting known as "byte streams", where it can be stored for later use such as within files, databases, and/or traversed across a network. It is then later converted from this "byte stream" back into the higher-level "Object". This final conversion is known as "De-serialisation"
(kindly taken from https://www.geeksforgeeks.org/classes-objects-java/)
So what is an "Object"?
"Objects" in a programming-context can be compared to real-life examples. Simply, an "Object" is just that - a thing. "Objects" can contain various types of information such as states or features. To correlate to a real-world example...Let's take a lamp.
A lamp is a great "Object". a lamp can be on or off, the lamp can have different types of bulbs - but ultimately it is still a lamp. What type of bulb it uses and whether or not the lamp is "on" or "off" in this instance is all stored within an "Object".
How can we exploit this process?
A "serialisation" attack is the injection and/or modification of data throughout the "byte stream" stage. When this data is later accessed by the application, malicious code can result in serious implications...ranging from DoS, data leaking or much more nefarious attacks like being "rooted"! Can you see where this is going...?
What is a great IRL example of an "Object"?
What is the acronym of a possible type of attack resulting from a "serialisation" attack?
What lower-level format does data within "Objects" get converted into?
Your first reaction to being presented with an instance should be information gathering.
What service is running on port "8080"
What is the name of the front-end application running on "8080"?
Tony has started a totally unbiased blog about taste-testing various cereals! He'd love for you to have a read...
Download the attached resources (48.3MB~) to this task by pressing the "Download" icon within this task.
FILE NAME: jboss.zip (48.3MB~)
MD5 CHECKSUM: ED2B009552080A4E0615451DB0769F8B
The attached resources are compiled together to ensure that everyone is able to complete the exploit, these resources are not my own creations (although have been very slightly modified for compatibility) and all credit is retained to the respective authors listed within "credits.txt" as well as the end of the room.
It is your task to research the vulnerability CVE-2015-7501 and to use it to obtain a shell to the instance using the payload & exploit provided. There may be a few ways of doing it...If you are struggling, I have written an example of how this vulnerability is used to launch an application on Windows.
There's also a couple of ways of exploiting this service - I really encourage you to investigate into them yourself!
I have obtained a shell.
Knowledge of the Linux (specifically Ubuntu/Debian)'s file system structure & permissions is expected. If you are struggling, I strongly advise checking out the Linux Fundamentals module.
This flag has the formatting of "THM{}"
Normal boot-to-root expectations apply here! It is located in /root/root.txt. Get cracking :)
The final flag does not have the formatting of "THM{}"
Final Remarks
I hope this was a refreshing CTF, where classic techniques meet new content on THM - all of which are not based around Metasploit!
This type of attack can prove to be extremely dangerous - as you'd hopefully have discovered by now. It's still very real as sigh, java web applications are still used day-to-day. Because of their nature, "Serialisation" attacks all execute server-side, and as such - it results in being very hard to prevent from Firewalls / IDS' / IPS'.
For any and all feedback, questions, problems or future ideas you'd like to be covered, please get in touch in the TryHackMe Discord (following Rule #1)
So long and thanks for all the fish!
Credits
Again, to reiterate, the provided downloadable material has only slightly been adapted to ensure compatibility for all users across TryHackMe. Generating and executing the payload especially is very user-environment dependant (i.e. Java versions, of which are hard to manage on Linux, etc...)
Many thanks to byt3bl33d3r for providing a reliable Proof of Concept, and finally to all the contributors towards Frohoff's Ysoserial which facilitates the payload generation used for this CVE.
Further Reading
If you are curious into the whole "Serialisation" and "De-Serialisation" process and how it can be exploited, I recommend the following resources:
TIL!
Created by
Room Type
Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!
Users in Room
8,462
Created
1953 days ago
Ready to learn Cyber Security? Create your free account today!
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in