HTB Series - Jeeves
We start by scanning the target with nmap to find open ports
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
Navigating to the http ports, we can look at the directories under 50000 using dirb
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We navigate to /askjeeves
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We navigate to manage jenkins > script console
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We can use the script console to invoke a reverse shell
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We use this reverse shell
We setup a listener on port 8044, run the script and receive a shell
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We note privilege impersonation is enabled
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We can use msf to create a web delivery script and configure it with options as shown below
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We then run the exploit and execute the resulting script on the shell we have
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We run the exploit suggester to see possible ways to escalate
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We are aiming on some potato attack practice on this one hence the following approach:
We opt for exploit/windows/local/ms16_075_reflection_juicy and configure it as shown below
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
Running the exploit gives us an elevated session
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We then get a privileged shell
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
I was aiming for token impersonation, but this particular exploit ended up not having a system token I could impersonate, though it did pop a shell as System so that wasn't required anymore.
We navigate to the users directory for the user flag
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We navigate to the Admin's directory for the root flag
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
The file says we should look deeper, so we can use the /R to look deeper.
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
It appears to be hidden in an alternate data stream, to uncover that we can use techniques from this malware bytes post
Or we can use this workaround with more
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ