Windows Privilege Escalation

To "pwn" the Jenkins Butler Windows VM, you will transition from external reconnaissance to web exploitation, and finally to local privilege escalation.

Below is the high-level workflow for this specific attack chain:

Phase 1:
External Interception & Reconnaissance
FoxyProxy & Kali Linux: You configure FoxyProxy in your browser to route traffic through Burp Suite (usually on 127.0.0.1:8080). This allows you to capture every request sent to the Jenkins instance.

Discovery: Use Burp Suite’s Proxy and Target tabs to map the Jenkins application. You are looking for unprotected endpoints like /script, /console, or vulnerable versions (e.g., those susceptible to CVE-2024-23897).

Phase 2: Exploiting Jenkins (The Foothold)

The Attack: If the Script Console is accessible, you can execute Groovy scripts directly on the server. If not, you might use Burp's Repeater or Intruder to exploit a specific Remote Code Execution (RCE) vulnerability.

Payload: You craft a payload to execute a PowerShell reverse shell. Once sent through Burp, the Jenkins server (running as a low-privileged user) connects back to your Kali listener (nc -lvnp <port>).

Phase 3: Privilege Escalation to SYSTEM

PEASS-NG (winPEAS): Once you have a shell, you transfer winPEAS.exe (or winPEAS.ps1) to the Windows VM.

Enumeration: You run the script to scan for "low-hanging fruit." It will highlight misconfigurations in red that lead to Admin/SYSTEM access:

Unquoted Service Paths: Where you can hijack a service execution.

Stored Credentials: Searching the Registry or Jenkins config files for passwords.

Token Impersonation: Checking if the current user has SeImpersonatePrivilege.

Execution: Based on the winPEAS output, you apply the specific exploit (e.g., replacing a service binary) to escalate your privileges to NT AUTHORITY\SYSTEM.

Tool

FoxyProxy

Manages the browser-to-Burp connection for seamless interception.

Burp Suite

Manipulates HTTP requests to exploit Jenkins web vulnerabilities (RCE).

Kali Linux

The command center hosting the listener and attack scripts.

winPEAS-ng

Automates the search for Windows misconfigurations to gain Admin rights.

BUTLER VM EXPLOITED AS NT AUTHORITY\ SYSTEM32

Page updated

Google Sites

Report abuse

Windows Privilege Escalation

To "pwn" the Jenkins Butler Windows VM, you will transition from external reconnaissance to web exploitation, and finally to local privilege escalation.

Below is the high-level workflow for this specific attack chain:

Phase 1:
External Interception & Reconnaissance
FoxyProxy & Kali Linux: You configure FoxyProxy in your browser to route traffic through Burp Suite (usually on 127.0.0.1:8080). This allows you to capture every request sent to the Jenkins instance.

Discovery: Use Burp Suite’s Proxy and Target tabs to map the Jenkins application. You are looking for unprotected endpoints like /script, /console, or vulnerable versions (e.g., those susceptible to CVE-2024-23897).

Phase 2: Exploiting Jenkins (The Foothold)

The Attack: If the Script Console is accessible, you can execute Groovy scripts directly on the server. If not, you might use Burp's Repeater or Intruder to exploit a specific Remote Code Execution (RCE) vulnerability.

Payload: You craft a payload to execute a PowerShell reverse shell. Once sent through Burp, the Jenkins server (running as a low-privileged user) connects back to your Kali listener (nc -lvnp <port>).

Phase 3: Privilege Escalation to SYSTEM

PEASS-NG (winPEAS): Once you have a shell, you transfer winPEAS.exe (or winPEAS.ps1) to the Windows VM.

Enumeration: You run the script to scan for "low-hanging fruit." It will highlight misconfigurations in red that lead to Admin/SYSTEM access:

Unquoted Service Paths: Where you can hijack a service execution.

Stored Credentials: Searching the Registry or Jenkins config files for passwords.

Token Impersonation: Checking if the current user has SeImpersonatePrivilege.

Execution: Based on the winPEAS output, you apply the specific exploit (e.g., replacing a service binary) to escalate your privileges to NT AUTHORITY\SYSTEM.

Tool

FoxyProxy

Manages the browser-to-Burp connection for seamless interception.

Burp Suite

Manipulates HTTP requests to exploit Jenkins web vulnerabilities (RCE).

Kali Linux

The command center hosting the listener and attack scripts.

winPEAS-ng

Automates the search for Windows misconfigurations to gain Admin rights.

BUTLER VM EXPLOITED AS NT AUTHORITY\ SYSTEM32

-------------------------------------------------------------------

Contact me on artloop at pm.me
all rights reserved

Windows Privilege Escalation

To "pwn" the Jenkins Butler Windows VM, you will transition from external reconnaissance to web exploitation, and finally to local privilege escalation.

Below is the high-level workflow for this specific attack chain:

Phase 1: External Interception & ReconnaissanceFoxyProxy & Kali Linux: You configure FoxyProxy in your browser to route traffic through Burp Suite (usually on 127.0.0.1:8080). This allows you to capture every request sent to the Jenkins instance.

Discovery: Use Burp Suite’s Proxy and Target tabs to map the Jenkins application. You are looking for unprotected endpoints like /script, /console, or vulnerable versions (e.g., those susceptible to CVE-2024-23897).

Phase 2: Exploiting Jenkins (The Foothold)

The Attack: If the Script Console is accessible, you can execute Groovy scripts directly on the server. If not, you might use Burp's Repeater or Intruder to exploit a specific Remote Code Execution (RCE) vulnerability.

Payload: You craft a payload to execute a PowerShell reverse shell. Once sent through Burp, the Jenkins server (running as a low-privileged user) connects back to your Kali listener (nc -lvnp <port>).

Phase 3: Privilege Escalation to SYSTEM

PEASS-NG (winPEAS): Once you have a shell, you transfer winPEAS.exe (or winPEAS.ps1) to the Windows VM.

Enumeration: You run the script to scan for "low-hanging fruit." It will highlight misconfigurations in red that lead to Admin/SYSTEM access:

Unquoted Service Paths: Where you can hijack a service execution.

Stored Credentials: Searching the Registry or Jenkins config files for passwords.

Token Impersonation: Checking if the current user has SeImpersonatePrivilege.

Execution: Based on the winPEAS output, you apply the specific exploit (e.g., replacing a service binary) to escalate your privileges to NT AUTHORITY\SYSTEM.

Tool

FoxyProxy

Manages the browser-to-Burp connection for seamless interception.

Burp Suite

Manipulates HTTP requests to exploit Jenkins web vulnerabilities (RCE).

Kali Linux

The command center hosting the listener and attack scripts.

winPEAS-ng

Automates the search for Windows misconfigurations to gain Admin rights.

BUTLER VM EXPLOITED AS NT AUTHORITY\ SYSTEM32

-------------------------------------------------------------------

Contact me on artloop at pm.meall rights reserved

Phase 1:
External Interception & Reconnaissance
FoxyProxy & Kali Linux: You configure FoxyProxy in your browser to route traffic through Burp Suite (usually on 127.0.0.1:8080). This allows you to capture every request sent to the Jenkins instance.

Contact me on artloop at pm.me
all rights reserved