Español
En este post haremos la maquina Jeeves de HackTheBox, acaban de retirarla y no hay mejor momento para enseñaros cómo la resolví.
Es una maquina Windows de un nivel medio que me gustó mucho.
Mi nick en HackTheBox es: manulqwerty
Si tenéis alguna proposición o corrección no dudéis en dejar un comentario, así aprendemos todos.
Jeeves WriteUp
Enumeración
Como siempre, empezamos con el escaneo de puertos:
nmap -sC -sV 10.10.10.63
Tal y como vemos en el Nmap tenemos dos puertos http: 80 y 50000.
A priori no vemos nada que nos pueda servir.
Asi que vamos a buscar posibles directorios/ficheros ocultos con Gobuster
Vamos a revisar la url que hemos encontrado:
http://10.10.10.63:50000/askjeeves
Vemos que es un Jenkins (software de Integración continua open source escrito en Java). Trasteando un poco vemos que podemos crear proyectos
Explotación
New Item > Freestyle project > Build > Add build step > Execute Windows batch command
Como veis podemos ejecutar comandos de Windows. Vamos a crearnos un payload de powershell:
Para crear nuestro payload vamos a usar Veil-Evasion, aun que podríamos utilizar otras herramientas como Unicorn o Empire, entre otras.
Veil-Evasion es un generador de payloads meterpreter.
Establecemos la escucha de meterpreter que nos deja el Veil-Evasion preparada y copiamos el .bat en la ventana de ‘Execute Windows batch command’ del Jenkins
Post-Explotación
Una vez tenemos shell podemos ver el user.txt
Vamos a recabar información con el fin de encontrar algún vector que nos sirva para escalar. Entre los ficheros encontramos un .kdbx (keepass), extensión de los archivos usados por el gestor de contraseñas KeePass y vamos a intentar crackearlo.
Entre todas las contraseñas encontramos una que parece ser un hash NTLM. Vamos a conectarnos a través de smb/psexec:
Otra posible forma de escalar es mediante Rotten Potato
Ya hemos escalado, ahora solo tenemos que leer el root.txt. En este caso nos encontramos con un pequeño reto ya que el ‘root.txt’ está oculto en otro fichero .txt
Utilizando dir /R lo vemos fácilmente.
I have read some just right stuff here. Certainly value bookmarking for revisiting. I surprise how much attempt you place to make this type of excellent informative website.
Thank you very much, we will continue posting good content and also in English. I invite you to follow us on Twitter to not miss any post.
https://twitter.com/ironHackers
I think other site proprietors should take this website as an model, very clean and great user genial style and design, let alone the content. You’re an expert in this topic!
I was just looking for this info for a while. After 6 hours of continuous Googleing, finally I got it in your web site. I wonder what’s the lack of Google strategy that do not rank this type of informative websites in top of the list. Generally the top web sites are full of garbage.
Very nice post. I just stumbled upon your blog and wanted to say that I’ve really enjoyed browsing your blog posts. In any case I’ll be subscribing to your feed and I hope you write again soon!
Very good written information. It will be valuable to anybody who employess it, as well as yours truly :). Keep up the good work – for sure i will check out more posts.
Thanks a bunch for sharing this with all folks you really understand what you’re speaking about! Bookmarked. Please also talk over with my web site =). We may have a link change arrangement between us!
Thanks a bunch for sharing this with all folks you really understand what you’re speaking about! Bookmarked. Please also talk over with my web site =). We may have a link change arrangement between us!
I truly wanted to post a brief comment to be able to thank you for some of the lovely pointers you are sharing at this site. My incredibly long internet search has at the end of the day been honored with excellent facts and techniques to share with my good friends. I ‘d express that most of us site visitors are really lucky to exist in a wonderful site with so many special people with insightful tips and hints. I feel rather blessed to have come across your site and look forward to so many more entertaining moments reading here. Thanks a lot once more for all the details.