Hack the Jarbas: 1 OSCP Preparation machines
Hello readers. We’d recently tried our hands on the vulnerable VM called Jarbas on vulnhub. It is developed to look like a 90s Portuguese search engine. It is made by Tiago Tavares. You can download the lab from here. The objective of this challenge is to get the root shell.
Difficulty Level: Easy
Steps involved:
Method 1:
So, we used a nmap aggressive scan to discover opened ports on the VM.
There was a webpage associated with the VM so we opened it in the browser.
When nothing seemed to impress us, we tried to enumerate the directories using directory buster.
Since index.html is the default page and there was another HTML page available, we tried to open it in the browser.
We found some password hashes in the access.html that we tried to crack it online on hashkiller.
WOW! We have three passwords in hand now.
Now, remember we had port 22 open in our nmap scan report, so we tried to login into ssh using the usernames and passwords we just cracked but it didn’t seem to work. So, we looked at another interesting port of 8080 and opened it in the browser.
We found a web application on Jenkins. It is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery.
We tried to login with all three of the usernames and passwords but the third combination logged us into Jenkins which was:
Now, we found that Jenkins had a script console vulnerability and its module was in Metasploit.
We got a meterpreter session! Let’s try and get a teletype here using python’s one-liner shell:
Now, we found a shell script in the crontab which was executing automatically after every 5 minutes called CleaningScript.sh and whose job was to remove access log from the system.
But even better, it was running with root permissions!
Let’s make a new gedit file called CleaningScript.sh and use the root privilege of CleaningScript.sh file to set a sticky bit on “find.”
Now, all that was left to do was to upload this new shell script onto the server and replace it with the original file.
So, we background the shell (CTRL+Z)
and used meterpreter upload command.
We observed the time and waited for exactly 5 minutes for the script to run automatically.
After 5 minutes:
Permissions modified: -rwsr-xr-x
The sticky bit got set! Now we just need to use the find inline command execution:
As you can see all the users got enumerated as root.
Hence, we can execute any command as root now!!
A file called flag.txt was visible in the root directory.
We used echo command this time to set the sticky bit on /usr/bin/cp
We read the /etc/passwd file using cat utility after that.
Our aim was to add a user in /etc/passwd file as root. So, we use OpenSSL utility to create a password hash with the command:
Copy the password hash in someplace safe now.
Copy the /etc/passwd file in a leafpad file and let’s add our custom user in there.
Save this file somewhere on the desktop and download this file on server’s /tmp (universal writeable) directory.
Then use cp (since we set sticky bit) to copy and replace this file with the original file with the command:
Let’s try and login using su binary:
Voila! We got a root shell! Let’s read the flag now.
Since we know CleaningScript.sh is run as root in every 5 minutes, so we copy this one-liner in CleaningScript.sh and activate a netcat shell side by side and wait for 5 minutes.
In another window, after waiting for 5 minutes, we will get a root shell!
Difficulty Level: Easy
Steps involved:
Method 1:
- Port scanning and network discovery.
- Directory enumeration.
- Discovery of username and password hashes.
- Cracking password hash.
- Exploiting Jenkins on port 8080 using Metasploit.
- Discovering cronjob.
- Modifying cronjob and replacing it with a custom command to set the sticky bit on the find.
- Waiting 5 minutes for the sticky bit to get set.
- Executing root command to read the flag.
- Exploiting Jenkins as above to get a shell.
- Using OpenSSL to create a password hash.
- Editing /etc/passwd file with our custom file.
- Uploading it in the /tmp folder.
- Copying it in place of /etc/passwd.
- Logging in as root using SU binary.
- Achieving meterpreter as above.
- Uploading a reverse_bash one-liner in CleaningScript.sh.
- Activating Netcat and getting root.
Method 1:
After running a netdiscover scan we figured out that the IP that DHCP allotted to the VM was 192.168.1.122 in my case.So, we used a nmap aggressive scan to discover opened ports on the VM.
There was a webpage associated with the VM so we opened it in the browser.
When nothing seemed to impress us, we tried to enumerate the directories using directory buster.
Since index.html is the default page and there was another HTML page available, we tried to open it in the browser.
We found some password hashes in the access.html that we tried to crack it online on hashkiller.
WOW! We have three passwords in hand now.
Now, remember we had port 22 open in our nmap scan report, so we tried to login into ssh using the usernames and passwords we just cracked but it didn’t seem to work. So, we looked at another interesting port of 8080 and opened it in the browser.
We found a web application on Jenkins. It is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery.
We tried to login with all three of the usernames and passwords but the third combination logged us into Jenkins which was:
Now, we found that Jenkins had a script console vulnerability and its module was in Metasploit.
We got a meterpreter session! Let’s try and get a teletype here using python’s one-liner shell:
Let’s make a new gedit file called CleaningScript.sh and use the root privilege of CleaningScript.sh file to set a sticky bit on “find.”
Now, all that was left to do was to upload this new shell script onto the server and replace it with the original file.
So, we background the shell (CTRL+Z)
and used meterpreter upload command.
After 5 minutes:
The sticky bit got set! Now we just need to use the find inline command execution:
A file called flag.txt was visible in the root directory.
Method 2:
For this method, we achieve the meterpreter session as above and then get a shell.We used echo command this time to set the sticky bit on /usr/bin/cp
We read the /etc/passwd file using cat utility after that.
Our aim was to add a user in /etc/passwd file as root. So, we use OpenSSL utility to create a password hash with the command:
Copy the /etc/passwd file in a leafpad file and let’s add our custom user in there.
Save this file somewhere on the desktop and download this file on server’s /tmp (universal writeable) directory.
Then use cp (since we set sticky bit) to copy and replace this file with the original file with the command:
Method 3:
Achieve shell as above and in another terminal window, try this msfvenom command:
So, that’s how we captured the flag in this VM. Happy Hacking.