InfoSec LAB

vmdak_Jenkins

Created: 1 min read

Jenkins

A Jenkins instance was identified, and its running with the privileges of the root account. Since it’s running on the localhost, I would have to tunnel it.

SSH Tunnel

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ sshpass -p RonnyCache001 ssh -L 8888:127.0.0.1:8080 vmdak@vmdak.local -N -f

Tunneling the Kali port 8888 to the target network socket; 127.0.0.1:8080

Access

Redirected to a login page The admin password is the content of the /root/.jenkins/secrets/initialAdminPassword file, which cannot be accessed This was noted in the config.xml file earlier

config.xml

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ cat config.xml 
<?xml version='1.1' encoding='UTF-8'?>
<hudson>
  <disabledAdministrativeMonitors/>
  <version>2.401.2</version>
  <numExecutors>2</numExecutors>
  <mode>NORMAL</mode>
  <useSecurity>true</useSecurity>
  <authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
    <denyAnonymousReadAccess>false</denyAnonymousReadAccess>
  </authorizationStrategy>
  <securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
    <disableSignup>true</disableSignup>
    <enableCaptcha>false</enableCaptcha>
  </securityRealm>
  <disableRememberMe>false</disableRememberMe>
  <projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
  <workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULL_NAME}</workspaceDir>
  <buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
  <jdks/>
  <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
  <myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
  <clouds/>
  <InitialRootPassword>/root/.jenkins/secrets/initialAdminPassword></InitialRootPassword>
  <scmCheckoutRetryCount>0</scmCheckoutRetryCount>
  <views>
    <hudson.model.AllView>
      <owner class="hudson" reference="../../.."/>
      <name>all</name>
      <filterExecutors>false</filterExecutors>
      <filterQueue>false</filterQueue>
      <properties class="hudson.model.View$PropertyList"/>
    </hudson.model.AllView>
  </views>
  <primaryView>all</primaryView>
  <slaveAgentPort>-1</slaveAgentPort>
  <label></label>
  <crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer">
    <excludeClientIPFromCrumb>false</excludeClientIPFromCrumb>
  </crumbIssuer>
  <nodeProperties/>
  <globalNodeProperties/>
  <nodeRenameMigrationNeeded>false</nodeRenameMigrationNeeded>
</hudson>

That version information stands out the most; 2.401.2

Vulnerabilities

Checking it for vulnerability reveals an LFI; CVE-2024-23897 Given that the process is running with privileges of the root account, I could read any file on the target system via CVE-2024-23897. Moving on to the Privilege Escalation phase

Interactive Graph View

Backlinks