This time our goal is to attack another machine from Vulnhub called Jarbas.
Let’s start with
From this scan, we can see a bunch of open ports, but we can start from the usual port
After visiting this website, we are presented with this old school looking page.
But I could not find anything useful, after which I decided to check another port
8080 with another
From the source code, we can see that the websiite redirects to
/login?from=%2F directory. Let’s check that with the browser.
So we have information that the service running is
Jenkins but apart from brute forcing credentials, we do not have any more information.
After that I decided to check the
MariaDB database hosted on port
Still, nothing there. At that point I decided to run a
gobuster against web servers looking for directories, and then for files with
Here we have, first find! Let’s look at
Cracking the hashes easily reveals all of them.
Now after trying these credentials,
eder worked and we are logged into the
But what can we do with it? There was a `/script/ directory allowing us to run any script we enter into the text box.
I use code from HighOnCoffe blog, which will allow me to execute commands.
We can see that the code executes, showing us
jenkins as the output. I tried the same with
Now we are sure that the commands are executed properly. My next step was to run some
Java Reverse Shell.
And with our listener, we catch the connection.
One thing I’ve noticed during usual enumeration is en entry in crontab, executing a bash script every 5 minutes with root privilages.
I decided to try and put into that script a Python reverse shell snippet, that will give us back a root shell.
Great, now let’s set up a listener and wait for the new run of the script.