Jeeves - HackTheBox Writeup

The link for this machine is located here: https://app.hackthebox.com/machines/114

This room covers exploiting a public Jenkins server including gaining an initial reverse shell using GroovyScript. From there, we perform privilege escalation by cracking a juicy KeePass file.

Full Walkthrough

First thing we can do is scan the machine with the following parameters:

• -p- for all ports

• 10.10.10.63 for the target

• -oN allports.scan to output to a file

This returns 4 ports as open - 80, 135, 445, 50000. To get more information, we can perform a more detailed scan.

This tells us that Microsoft IIS is running on port 80, SMB is running as well as something called “Jetty” on port 50,000.

The first thing I normally do is check the website to see what is running on the target machine.

Here, we see what looks like a search bar similiar to a search engine. If it is some kind of search engine, there is probably some interesting code we can check.

Unfortunately for us, there is nothing. Hitting the Search button does nothing and the links to web, images, news and lots of answers don’t actually link to anything - they simply link back to the home page.

If we try and search something, we get what looks like a server error:

However, if you try to highlight anything on that page, it looks like it highlights the whole thing which tells me it is an image. We can confirm this by looking at the source code.

With this, we can try and connect to port 50000 through the web browser as well.

This reveals another web page of sorts and that simply tells us it is powered by Jetty and says an HTTP 404 Error, but it seems like another fake error if we check the source code.

From here, we could check out the SMB service, but I decided to try and find hidden directories on both the web pages running - port 80 and 50000.

Port 80 reveals nothing for us yet, but we can let it run.

Additionally, port 50000 returns nothing immediately but we can still let it run just in case. In the meantime, we can check out the SMB service running by first trying to access it without any credentials:

Unfortunately, we get an access denied. From here, we can try and run an automated enumeration tool like enum4linux to see if it gathers any information for us.

Once again, we get an error stating that the server doesn’t allow a session of no credentials. From here, if we go back to our Feroxbuster scans, we can see that on port 50000, it found a hidden directory titled askjeeves.

We can navigate to this and we find a Jenkins server where we have access to the full panel it looks like.

From here, we can find a login page.

However, as of right now, there is no real point for trying to login as we have unauthenticated access to the panel already.

From here, we can try and access the Script Console which has the ability to spawn us a reverse shell.

And we have full access to the Script Console. Reading the description, the console uses something called Groovy to execute scripts.

Doing a little research, we can find the syntax for Groovy and execute a simple script to start - the following script simply executes the dir command in Windows to list out the contents.

When we hit the Run button, we can see the Results of the script down below the console.

It works. From here, we can do a variety of things. If you wanted, you could find a Groovy script that spawns a reverse shell like the following on GitHub.

Another option is that we can utilize Netcat to get a reverse shell instead. To do this, we can grab the nc.exe file and host it in a Python web server.

Then, we can use the following Groovy script and PowerShell commands to grab the Netcat executable and download it.

Checking our Python server, we can see that a GET request was submitted for the nc.exe file meaning it was successful.

Listing out the contents once again like we did previously, we can see the nc.exe file on the Windows file system.

Now that we know it exists, we can start a Netcat listener on port 443.

Then, we can use the following Groovy script to execute Netcat and tell it to connect back to us on port 443 using cmd.exe.

Checking our Netcat listener, we can see that we do indeed receive a reverse shell connection.

If you wanted to do it the other way by using a Groovy script reverse shell, we can just input the script from GitHub and change the IP:

Then, when we run the Groovy script, our Netcat listener would pick up the same reverse shell.

Privilege Escalation

From here, if we try to go back, we receive an Access Denied error as we are trying to navigate back to the Administrator folder.

Instead, we can simply navigate to C:\Users and list out to see what users are available on the system.

This tells us that there is a kohsuke user. If we try to access their Desktop, we are able to and as a result, we can grab the user flag.

From here, we can do some further enumeration like looking through their Documents folder.

Interestingly, we find a kdbx file. I don’t know what that file extension is for so we can Google it and find out.

It is a KeePass file, meaning if we open it, we likely get all of their files for their accounts. Next, we can grab this file by first setting up a Netcat listener that will output the contents to a file called CEH.kdbx.

Then, on the target, we can execute the Netcat file we downloaded earlier and instead of just connecting, we can input the CEH.kbdx file.

Once executed, we will receive a connection on our Netcat listener with the output put in the kdbx file.

If we check our files, we can see we have the CEH.kdbx file with contents inside it.

If we install KeePassX and try to import this file, it sadly prompts us for a password meaning we will have to enter a password before we get the juicy credentials.

However, all is not lost as there are ways to crack this password. One way we can use it by first using keepass2john on the file to produce the hash for cracking purposes:

Once we have the hash, we can then use a tool like Hashcat with the rockyou wordlist to attempt to crack the password.

After a short minute, we get the cleartext password - moonshine1.

With this password, we can import the kdbx file into KeePass once again and open up the database file this time with the password.

Here, we can see a ton of different entries. In order to simplify the process, we can use a CLI tool called kpcli to help extract the passwords in a faster way.

First, we open up the database file and provide the master password.

Then, we type “find .” to find all the entries.

Once we find the 8 entries, we can use the “show -f” command to list out each entry.

Going through each entry, we can grab the ones that contain passwords and create a list.

We can remove the top one for now as it looks more like a password hash rather than a password itself.

With this password list, we can try something like CrackMapExec with the Administrator username to try and password spray our way in if any of the passwords were reused.

Unfortunately, they were not. Going back to the password hash we found, it looks like a normal Windows NTLM hash.

Knowing this, we can quickly pop it into a website like Crackstation and see if they have the known cleartext string for the NT or LM section.

The LM section comes back as empty, but the other section has come back as unknown meaning we are unlikely to crack this hash.

However, CrackMapExec does have the option to provide a password hash rather than a password. If we try that with the Administrator user, let’s see what happens.

It works! Even better, it comes back telling us that we Pwn3d! it meaning we have full SYSTEM rights.

With these credentials verified, we can use something like PSExec to spawn a shell.

Or, if you prefer, you could also use a program like pth-winexe to achieve the same result.

From here, we can navigate to the Desktop and grab the root.txt flag right? Well, if we list out the contents of the Desktop, we don’t see the root flag, but we instead see something titled “hm.txt”.

Reading the contents of this file tells us that the flag is elsewhere and to look deeper.

With this, I decided to try and run WinPEAS on this system to see if it picks up any interesting directories or files. To do this, we can first check whether the system is 64 or 32-bit using the systeminfo command.

It’s 64-bit. With this, we can download the 64-bit version of WinPEAS from the GitHub releases page.

Once downloaded, we need to transfer it over to the target machine by first hosting a Python web server so we can grab it.

Then, we can try downloading it on the target machine using either certutil or wget.

But we run into a problem with neither of these utilities being present on the system. Initially, we could try something else like hosting an SMB server, but in this CTf-stlye scenario, it screams to me that we are looking in the wrong place (at least for now).

I read the text file again and remembered back to a Digital Forensics course I did talking about Alternate Data Streams that can hide files inside of files in very basic terms.

To list out ADS, we can use the dir command with the /R operator.

And we see that the hm.txt file includes another file - root.txt - inside an Alternate Data Stream. To extract it and get its contents, we can use the “more < hm.txt:root.txt” command to read the alternate data stream instead of the standard file.

And we get the root flag!