YOUTUBE WALKTHROUGH:-
Part 1: Enumeration
Nmap Scan shows a few ports open. We couldn’t log into SMB anonymously, so we jump straight to the port 8080 which is running Jenkins.
We can see the login page for Jenkins. Before going further into enumeration, I tried a few default credentials and could log in using admin:admin.
Part 2: Exploitation
Jenkins has a feature called ‘Script Console’ in the ‘manage’ directory, where it allows us to execute scripts.
The script console mentions that we can execute groovy script on the server. You can find the groovy reverse shell script here.
You can change the string host to the IP of your local machine. Once we hit run, we get a shell back on our machine as the user Ben.
Part 3 : Post Exploitation
Before moving forward with Enumeration, we check the privileges that the user has on the machine.
We can see that SeImpersonatePrivilege is Enabled. This means we can use the famous Juicy Potato attack. You can read about this attack in detail here. We first transfer the juicy potato binary on our victim machine. You can get it from here. We also transfer nc.exe(Netcat for windows) to the victim machine.
Juicy Potato also requires CLSID as an argument. You can find the list of CLSID for your OS version on the github repo of Juicy Potato. Using the ‘systeminfo’ command we can see that the machine is running Windows server 2012.
Next, we create a batch file, having the following contents.
This simply means that when rev.bat is run, it will connect to our local machine using nc.exe .
Now, we use juicy potato. But before that let’s set up a netcat listener on our local machine.
Running Juicy potato now,
Here,
- -p : Program to launch
- -t : Create Process call.
- -l : COM Server Listen Porn
- -c : CLSID as mentioned above. You can use any one from the list till it works.
Once this is completed, we get a shell back on our machine as NT Authority\system.
The access and the system flags can be found in the respective user directories.
Comments
Post a Comment