Hack the Box (JEEVES)
The 90s: pagers, colored iMacs, and Ask Jeeves
Started as always with a nmap scan on the target.
nmap -sC -sV -v -p- -oA nmap 10.10.10.63
Through this scan we identified ports 80,135,445 and 50000. We have also identified a few services running and their version numbers.
I typically leave http for last as the enumeration methods can take us down a rabbit hold very quickly.
First I attempted to interact with SMB using smbclient and rpcclient to no avail. Then I switched my focus to port 80.
Browsing to the site we get the Ask Jeeves search page
Browsing to port 50000, we are met with a 404 “not found” error and discover Jetty is present on the server and a version number. Which we already knew from our initial scan.
Nikto scans did not return substantial new information. Then I used dirbuster on both ports. Nothing fruitful returned on port 80 but port 50000 is another story.
The askjeeves directory returned numerous results. Browsing there we are presented with the following:
The Jenkins automation service is using version 2.87.
After looking through various areas in the interface, we find a script console
Through research on jenkins groovy script console vulnerabilities we find the following site:
Which provides a tutorial for command execution.
The above executes the dir command through the command shell
Success! Now let’s get a shell. Using the following four commands, I got netcat onto the target machine
First I verified that the commands to write to the powershell script were successful.
Success! The contents look correct with the correct quotes as well.
Then I started the server from the directory containing nc.exe
I executed the powershell script which downloads the file
I verified the script was successful by noting the GET request from the Jeeves server
I executed the netcat executable (in this case called output-file.exe) to send a shell to my attacking machine
Success!! But I prefer to use a meterpreter session on windows box. I wish there was an easy way to create that based on the shell I have.
The web delivery script is a module that creates a server on the attacking machine which hosts a payload. When the victim connects to the attacking server, the payload will be executed on the victim machine. This module has a powershell method which generates a string which is needed to be executed on the remote windows machine.
Creation of the the powershell string
Execution of the powershell string on the target
Target grabbing the payload and executing
We can see that we are on a Windows 10 machine and have the rights of the user kohsuke.
Tidbit: Kohsuke Kawaguchi is known for creating the jenkins software
Now we have access to the user flag.
After enumeration and a rabbit hole of trying to break the jenkins admin password. A colleague of mine asked if I found the keepass file. Digging down that road lead me to the CEH keepass database
I downloaded the database to my attacking machine
Based on data extraction challenges from the past, I know the keepass2john application extracts a crackable hash in a format for john the ripper.
Using keepass2john on the database and hash generation
Using john the ripper we crack the password.
Great password for the database is “moonshine1”. Now lets open up the database.
Using my Windows VM I opened up the CEH.kdbx using keepass.
Note: Ctrl+H is shortcut to show passwords in keepass
The last one looks an awful like an NTLM hash “aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00”
Lets try to pass the hash
Yes access! Now lets just go into the Admin desktop and get our root flag….
No root flag but what’s hm.txt?
After spending time searching around and nothing coming up. I knew the HTB rules state that the root flag must be here so I started researching hidden files in windows.
Which lead me to:
In today's edition of Stupid Geek Tricks (where we show off little-known tricks to impress your non-geek friends)…www.howtogeek.com
Using the /R flag for dir to display alternate data streams of files
There you are, hiding in hm.txt.