Today, we’re going to solve another CTF machine “Jeeves”. It is now retired box and can be accessible to VIP member.

Specifications

  • Target OS: Windows
  • IP Address: 10.10.10.63
  • Difficulty: Medium

Contents

  • Getting user
  • Getting root

Enumeration

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

Enumerating Port 80

Nmap reveals IIS httpd 10.0 running on port 80 with a search page showing ask jeeves.

If you check page source there’s an error.html page which just has jeeves.PNG image.

This image reveals some of the information which might help us in exploiting or doing priv esc on the box.

Enumerating Port 50000

Nmap reveals Jetty service running on port 50000 and if we browse the page 10.10.10.63:50000

Let’s run the dirbuster to see if there’s anything hidden.

We found /askjeeves and let’s take a look at it.

Exploitation

If we google about Jenkins exploits we found we can use the Jenkins-CI Groovy script console to execute OS commands using Java.

Reverse Shell: https://alionder.net/jenkins-script-console-code-exec-reverse-shell-java-deserialization

Manage Jenkins > Script Console

Reverse Shell

Click Run and Start the listener.

Since, we got the low privilege shell let’s try upgrading it through meterpreter.

Using Powershell to transfer our generated shell.exe file targeted machine.

After running the powershell and executing shell.exe we got meterpreter session.

We can find user.txt under C:\Users\kohsuke\Desktop

Privilege Escalation

Method 1

We start by gathering basic information about our targeted system so let’s check systeminfo first.

Copy all this information into local file named systeminfo.txt. Now we’re gonna run windows exploit suggester.

The machine is vulnerable with MS16-075 (RottenPotato)
https://github.com/foxglovesec/RottenPotato

Abusing Token Privileges For Windows Local Privilege Escalation

https://github.com/foxglovesec/RottenPotato
https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation

Currently there’s no Impersonation Tokens available let’s run the RottenPotato.exe again.

There you go!

And we’re NT AUTHORITY\SYSTEM.

Method 2

There’s a file CEH.kdbx under C:\Users\kohsuke\Documents.

After downloading a file we had to make sure of the file type.

This reveals Keepass password database file type.

Open KeePass file.

This file is protected with a password but we know how to get it 🙂

There’s a pre-installed program in Kali named keepass2john.

Let’s crack the hash key.

Cracking Has Using John

Password: moonshine1

Let’s open our keepass file.

There’s bunch of data to be noted upon checking each of them we found backup stuff revealing critical information.

Here’s the remaining content of keepass file.

But we found something interesting inside Backup Stuff.

NTLM Hash: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

The SMB service is running on the targeted machine we can attempt to authenticate to the system using password spray attack or pass-the-hash attack.

Metasploit PSEXEC Module

Module: exploit/windows/smb/psexec

Now let’s run it!

And we’re NT Authority.

Now let’s look for the flag.

dir /a will show all the hidden files on the system and dir /R will show the alternative data stream.

The hm.txt:root.txt:$DATA means that root.txt is inside the alternative data stream of hm.txt

To read the root.txt more < hm.txt:root.txt:$DATA