HTB: Pennyworth

Very easy

This is a VIP box that’s part of HackTheBox’s Starting Point Tier 1 series

Tags: #Java, #Attacks #WeakPassword

Connect to the Starting Point VPN and spawn the machine!

As per always, let’s start with a NMAP scan.

nmap -sC -sV -T5 -v MachineIP

There’s only 1 service that’s running on the machine, but before we get to it. Let’s answer some of the questions.

  1. What does the acronym CVE stands for
    Common Vulnerabilities and Exposures
  2. What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for?
    Confidentiality, Integrity, Availability
  3. What is the version of the service running on port 8080?
    Refer to the NMAP
  4. What version of Jenkins is running on the target?
    Refer to the NMAP scan

Now let’s head to the HTTP service.

http://MachineIP:8080

Jenkins Admin page

Googling for the default credentials will show you something like this.

And 1 of the combinations is all that we need to login.

And you can see the answer for Task 5 right on the home page. 😆

I tried to google for any known exploits for this particular version of Jenkins but I didn’t see any. And looking at the questions, I had a feeling that we have to use Groovy scripts to attack the machine.

After looking through the pages, I found one that allows us to upload Groovy scripts directly to the service.

http://MACHINEIP:8080/scripts

And over at PayloadsAllTheThings, I found a Reverse Shell to use for Groovy!

This has the answer to Task6

The payload is as..

The only variables that have to be changed will be “AttackingIP” and “Port”. The “AttackingIP” will be your tun0/vpnIP and the “Port” is up to you to specify.

To find your IP, you always use the command.

ifconfig or ip a | grep tun0

Now, before you click run, you will have to open a NetCat session!

nc -lvnp Port

Answer to Task8!

Now click run and wait for a response on your NetCat

And.. That’s the reverse shell! Now let’s spawn a more stable/interactive shell

/bin/sh -i

On to finding the flag!

And there you have it! Flag.txt found! Hope this walkthrough was easy to understand and thank you all for reading!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Porkballs

Porkballs

Budding Cyber Security VAPT Engineer with a deep interest in CTF. Trying to get into doing bug bounty as well XD