Walkthrough of a Linux machine exploitation attacking WordPress then privilege escalation via abuse of Jenkins.
Deployment and preparation
As per the pre-engagement briefing to avoid any hiccups during the testing the IP-address allocated for us should be added to the host file of our attacker machine. This way we eliminate the domain name translation having our machine directly reaching out to the victim machine.
Initial enumeration
Our usual Nmap scan shows only 2 open ports, 22 and 80.
HTTP enumeration
Let’s take a closer look of this service on port 80 with another Nmap scan which shows us that there might be some interesting directories available.
This has been confirmed by the Ffuf tool as well.
If we navigate to the link we could not only confirm that it is indeed a WordPress site but there is a user called admin who posted an entry and he is probably an administrator.
Let us try to find the password of that admin with a WPScan bruteforce attack. Success.
HTTP exploitation
We manage to login to WordPress with the credentials gathered.
During the WPScan attack above, the tool provided us with a spin-off info namely that the TwentySeventeen WP theme is out of date. This might help us to get a shell on the machine. Let’s get a copy of a php-reverse-shell from our Kali shared folder, modify the IP-address to ours and copy-paste it into the 404.php template in the WordPress editor.
Then after saving the modified 404 template all we need to do is just go to the URL on which the template is accessible.
We should receive a low-level non-interactive “sh” reverse-shell on our Netcat listener. Let us upgrade it straightaway with spawning an interactive “bash” pty shell just to make our life a bit easier.
Lateral movement
First of all let’s check the users on the machine. We can see that there is a user called “aubreanna”, let’s check all the files which have this name in them. Yes, there is a text file called “wp-save” in which his/her password is mentioned.
Now all we need to do is just taking over the shell for the user aubreanna and find the user flag. Let’s do that.
What is the user.txt flag?
Privilege escalation
Now we should go for the root flag, but we do not have the rights for that. Luckily there is another text file in the same directory in which the user flag was. It says there is an internal Jenkins service on 172.17.0.2 port 8080. This is confirmed, we can see a /16 range for a Docker container.
The easiest way to reach the Jenkins server considering what is available on the machine is to setup a local SSH port forward. The reason for this is that it is only for internal use and as such not available remotely, but if we tunnel out its port 8080 to an arbitrary port of our attacker machine it will be reachable for us. So, essentially what happens in this case is that we login to the machine via port 22 (SSH), then using the SSH service of the victim computer we mirror the internally available Jenkins service on 172.17.0.2:8080 onto port 5000.
We are able to get to the login page in this way using the same port number on 127.0.0.1.
Now we need some credentials to the server. Let’s fire up BurpSuite to catch its post request first.
Let’s feed the post request obtained into Hydra and bruteforce the login password using the user “admin” as it’s been in use for WordPress as well. Success.
Let’s login using the credentials gathered and then navigate to the Script Console in Jenkins (Nodes-> Master). There are several reverse shells available against Jenkins, I have decided to try out one from the Pentesteracademy blog. All we have to do with it is just changing the IP-address to our attacker machine and obviously the preferred port number to be added too.
Upon saving the script in the console, we should get back a non-interactive reverse shell on our Netcat listener which we update with our python pty script as usual. Next let’s check the “opt” directory again in which we found the wp-save.txt note above. We are lucky, fortunately admins stick to their habits nowadays, lol.. 🙂
Ok, nice one, we’ve got the root password. Let’s check it out via SSH and try to find the root flag.
What is the root.txt flag?
Thanks for reading and as always, any feedback is most welcome.