search

Jeeves

https://app.hackthebox.com/machines/114

Difficulty: HARD

hashtag
Reconnaissance

hashtag
Nmap

Nmap scan report for 10.10.10.63
Host is up (0.35s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-03-26T17:29:27
|_  start_date: 2023-03-26T17:21:07
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 40s, deviation: 0s, median: 40s

hashtag
HTTP - Port 80

Enumerating the port 80 you can see that there is askjenkins service.

Here when you search something it throws an error but is an image.

There is just an error.html and nothing else even when you search something.

So, at the first view a think this was a rabbit hole to make us waste our time.

hashtag
HTTP Jetty - Port 50000

Starting to Enumerate the http ports by fuzzing their url's.

We found something a jenkins server in the port 50000 so, this can be our opportunity to gain a foothold on the machine.

When you enter the askjeeves directory you see that we can edit things here.

Time to exploit this : }

hashtag
SMB & NetBIOS - Port 445/139

You cannot see any files and vulns here, nothing interesting.

hashtag
Exploitation

hashtag
HTTP Jetty - Port 50000

To exploit Jenkins using the script console use the following script and change the variables to your IP and so on.

Remember set your netcat with the specified port first to get the cmd shell.

Here you can see that we gain access to the system.

hashtag
Privilege escalation

There are 2 different ways to root the machine.

hashtag
Method 1

The first method is to look for in some directories and you will find a kdbx database so, you can download this to start cracking the database of passwords.

To make the crackeable hash use the following commands

Once you have the password, open the database with keepassxc and use the cracked password.

You'll see different passwords, but the most interesting is the first one, beacuse we have an NTLMv1 hash and we can use it to try pass the hash with the user administrator and others.

Here we try to pass the hash to the use admin in the machine and fortunately is the hash of the user admin.

So, you can gain a shell using psexec to get nt authority privileges.

hashtag
Method 2

Enumerating the privileges information, we can see that the SeImpersonatePrivilege is enable so, we can exploit this using the juicypotato binary.

LogoGitHub - ohpe/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.GitHubchevron-right

Once we download the binary to the machine, I'll start doing a backdoor user and assigning to it administrator privileges.

Now set the administrator group to papishampoo.

After those two commands we need to modify it in the windows registry too using the following.

Now use crackmapexec to see if we have the administrator privileges.

We can that we pwned as well by doing this.

PreviousWindowsNextBart

Last updated