Jeeves
https://www.hackthebox.eu/home/machines/profile/114
Nmap
I Started off scanning all ports and then a done a more intense scan on the ports found as per below:
I first tried enum4linux
on SMB and did not get any valid hits for null session. I next moved onto port 80 whilst kicking off gobuster
and nikto
on port 80 and port 50000 since it has been reported as HTTP
Port 80
Port 80 directs us over to a AskJeeves web page.
Entering a value into the field and searching produces a error page which on further inspection appears to be an image. Searching using potential SQL injections or any other search parameter produces the same result.
When viewing page source we get the following:
Selecting "jeeves.PNG" takes us to the above image. Based on this I will not be spending anymore time on port 80 as we have still not inspected port 50000.
Port 50000
Heading over to Port 50000 we land on the following page:
Clicking on the link takes us away to https://eclipse.org/jetty/
gobuster
reveals a directory of /askjeeves/ on this port.
Looks like we have unauthenticated access to Jenkins. As we have freedom of Jenkins we can select the "create new jobs" link. From here give the project a name and select "freestyle project".
On the next screen head down to "Build" and then select "Execute Windows batch command".
On this next part we are going to use nishang Invoke-PowershellTcp to get a reverse shell on the machine.
run the following with root permissions to install nishang
After install we can find the nishang files at /usr/share/nishang/shells
Start a python server in the shells directory as we will need to pull one of the files to gain shell.
Set up a netcat
listener. In this example I will be using port 443.
We can now insert the following command into the Jenkins batch command box. Changing IP and port where appropriate.
After you have completed this save the project at the bottom of the screen and then on the following screen select "Build now"
You should notice the python server receives a GET request for the file specified with a HTTP code 200. If you have incorrectly spelt the file you will receive a code 404.
netcat
should now pick up the shell and get you on the system as a low privilege account.
From here we can grab the user.txt flag before moving onto privilege escalation.
Privilege Escalation
For privilege escalation we should start with the normal system enumeration. We can run system info and run this against Windows_exploit_suggester.py
.
I have covered Windows_exploit_suggester usage here if you need to know how to use it:
After going through the results of the python script what sticks out to us is the following exploit:
FoxGlove Security have done a fantastic write up on the exploit which can be read here.
We can run the command whoami /priv
and see if we have any of the correct privileges to perform the exploit. the privilege SeImpersonatePrivilege
will allow us to run the exploit for MS16-075. This privilege is usually given to service accounts.
We will be using metasploi
t for the escalation and as such we will need to upgrade our shell to a meterpreter shell. Open msfconsole
and search for multi/script/web_delivery
set the correct options.
Run the module and it should create some Powershell code which needs to be run on the victim machine. The web_delivery module will keep a listener open waiting for when the code is run. When we execute the code on the victim machine this should give us a meterpreter shell back (depend on the payload you selected).
After running we should receive a shell back in msfconsole
.
We can now run a search for the exploit in msfconsole
after back grounding our meterpreter session.
Select options 1 for the juicy exploit and set the payload options. When you have filled out the correct information run the exploit and you should land a shell as system.
From here we should be able to grab root.txt?
Or not... Looks like we will have to look elsewhere.
After some time and looking literally everywhere I could not find the root flag. I eventually turned to the HTB forums for hints and eventually came to the right answer with the command Dir /R
this command allows you to view alternative datastream (ADS) files.
After retrieving root I did a little research on finding ADS files as I do not believe I would have found this without a hint. Malwarebytes have done a great blog post on the subject and have provided some good methods for over coming this.
Last updated