Jarbas CTF

Below you will find few details about "Jarbas" - CTF prepared by Tiago Tavares. Thanks to the VulnHub - VM is waiting for you here. Let's go...
I started from nmap scan, we should be somewhere here:

(As I started from Jetty; when I was looking for some useful resources about 'bugs in Jetty' I found this article. Maybe you will find it useful too. ;))

Checking:

...just to 'be sure':

Ok, next. Checking webpage:

Hm. Nice 'template'. Looks 'promising' ;]

Checking HTTP 8080/tcp:

Checking source:

Ok. Next: checking more dirs/locations:

 

I decided to switch to Metasploit for a while to check few 'options' prepared there for Jenkins, for example:

 

It's always good to search for other bugs/advisories 'in the mean time':

So we are here:

'No shell'. Not good. Checking WWW again:

More:

Checking hint from headers:

So this is the reason to RTFM. ;]

Checking more (dirb):

Great finding:

Checking more:

...and more (similar case to the one described before):

And...

Great! Checking md5's at Google:

Next:

Next:

Preparing my new userlist.txt:

Checking access with new credentials:

Great. Next step (+ few hints from PentestMonkey):

Let's go to the command-line:

Thanks to PentestMonkey hints:

Checking our new CLI-script:

(with netcat listening on our favourite port):

And...

 Nothing :) It happens when you're using 'wrong' payload or shellcode ;> So...

Preparing:

Perms:

 Checking:

Now it's good ;]

After checking files in /etc/ on target box I found that interesting line in crontab file:

How can we use it?

I tried to use it like this:

Checking if we can rewrite the file:

Cool. So now we'll wait...

But not for long:

Last thing:

Ok, looks good. :)

See you next time.

Cheers