Hack the Box (JEEVES)

The 90s: pagers, colored iMacs, and Ask Jeeves

Started as always with a nmap scan on the target.

nmap -sC -sV -v -p- -oA nmap

Through this scan we identified ports 80,135,445 and 50000. We have also identified a few services running and their version numbers.

I typically leave http for last as the enumeration methods can take us down a rabbit hold very quickly.

First I attempted to interact with SMB using smbclient and rpcclient to no avail. Then I switched my focus to port 80.

Browsing to the site we get the Ask Jeeves search page

Browsing to port 50000, we are met with a 404 “not found” error and discover Jetty is present on the server and a version number. Which we already knew from our initial scan.

Nikto scans did not return substantial new information. Then I used dirbuster on both ports. Nothing fruitful returned on port 80 but port 50000 is another story.

The askjeeves directory returned numerous results. Browsing there we are presented with the following:

The Jenkins automation service is using version 2.87.

After looking through various areas in the interface, we find a script console

Through research on jenkins groovy script console vulnerabilities we find the following site:


Which provides a tutorial for command execution.

The above executes the dir command through the command shell

Success! Now let’s get a shell. Using the following four commands, I got netcat onto the target machine

First I verified that the commands to write to the powershell script were successful.

Success! The contents look correct with the correct quotes as well.

Then I started the server from the directory containing nc.exe

I executed the powershell script which downloads the file

I verified the script was successful by noting the GET request from the Jeeves server

I executed the netcat executable (in this case called output-file.exe) to send a shell to my attacking machine

Success!! But I prefer to use a meterpreter session on windows box. I wish there was an easy way to create that based on the shell I have.

The web delivery script is a module that creates a server on the attacking machine which hosts a payload. When the victim connects to the attacking server, the payload will be executed on the victim machine. This module has a powershell method which generates a string which is needed to be executed on the remote windows machine.

Creation of the the powershell string

Execution of the powershell string on the target

Target grabbing the payload and executing

Session created

We can see that we are on a Windows 10 machine and have the rights of the user kohsuke.

Tidbit: Kohsuke Kawaguchi is known for creating the jenkins software

Now we have access to the user flag.

After enumeration and a rabbit hole of trying to break the jenkins admin password. A colleague of mine asked if I found the keepass file. Digging down that road lead me to the CEH keepass database

I downloaded the database to my attacking machine

Based on data extraction challenges from the past, I know the keepass2john application extracts a crackable hash in a format for john the ripper.

Using keepass2john on the database and hash generation

Using john the ripper we crack the password.

Great password for the database is “moonshine1”. Now lets open up the database.

Using my Windows VM I opened up the CEH.kdbx using keepass.

Note: Ctrl+H is shortcut to show passwords in keepass

The last one looks an awful like an NTLM hash “aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00”

Lets try to pass the hash

Yes access! Now lets just go into the Admin desktop and get our root flag….

No root flag but what’s hm.txt?

After spending time searching around and nothing coming up. I knew the HTB rules state that the root flag must be here so I started researching hidden files in windows.

Which lead me to:

Using the /R flag for dir to display alternate data streams of files

There you are, hiding in hm.txt.