Tuesday, July 30, 2019

Jeeves


JEEVES

- Layout for this exercise:




1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine Jeeves from the Hack The Box pentesting platform:

https://www.hackthebox.eu/


2 - ENUMERATION

- Jeeves's IP is 10.10.10.63:




- Scanning with Nmap:




- Connecting to the web server on port 80:





- Connecting to the web server on port 50000:





- Applying dirbuster to both web servers we find the folder askjeeves on port 50000:








- Browsing /askjeeves we find a Jenkins server.

- Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software:


https://jenkins.io/





- Going to Manage Jenkins:





- Checking the Script Console there is available a Groovy Script that allows to write and run code on the server:







3 - EXPLOITATION

3.1 - Getting a remote reverse shell

- The Apache Groovy language is a Java-syntax-compatible object-oriented programming language that can be used as both a programming and scripting language for the Java Platform:






- There are multiple available scripts for getting a reverse shell, for instance this one:





- Just setting a Netcat listener session, adapting the script to our needs and running it:







- The consequence is a remote reverse shell:




- The user is kohsuke:




- However it seems that we cannot get out of the current folder due to lack of enough administrative privileges:




3.2 - Meterpreter session with web_delivery

- Let's create a web_delivery exploit on Kali with the purpose of getting a Meterpreter session:




- Setting all options and running the web_delivery exploit a Powershell script is created:




- Now, the Powershell script must be run on the remote reverse shell from Jeeves:




- As a consequence a Meterpreter session is opened:




- Getting information about the current folder, user and the system:











4 - PRIVILEGE ESCALATION

- RottenPotato is a local privilege escalation binary from service account to System:





- Downloading rottenpotato.exe to Kali:





- Getting as many system privilege as possible with getprivs:




- Uploading rottenpotato.exe to Jeeves:




- Loading the incognito extension:




- Executing rottenpotato.exe:




- Impersonating as System:





- Now we've got System privileges:




- Spawning a shell:










5 - CAPTURING THE 1st FLAG

- Reading user.txt:





6 - CAPTURING THE 2nd FLAG

- Going to the Administrator's Desktop we find hm.txt:




Alternate Data Stream (ADS) is the ability of an NTFS file system (the main file system format in Windows) to store different streams of data, in addition to the default stream which is normally used for a file.

- The two stream types that are commonly used directly by Windows programs are data ($DATA) and index ($INDEX_ALLOCATION).

- The relevant attribute for our scope is the $DATA attribute, which is used to store the data streams of a file.

- In the past, it was common to store a malicious payload within an ADS of a legitimate file. But today, many today security solutions will detect and scan ADSs’.

- For further information:

https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams

https://www.deepinstinct.com/2018/06/12/the-abuse-of-alternate-data-stream-hasnt-disappeared/

https://stackoverflow.com/questions/50518734/dir-r-and-output-stream-in-windows-machine


-  The option dir /R calls FindFirstStreamW and FindNextStreamW on each file or directory in a listing in order to list its $DATA streams: