🪄Jeeves
https://app.hackthebox.com/machines/114
Staring with the nmap we see a web server on port 80 and 50000,
port 80:
just a webpage like this, the links do not go anywhere and if we search anything:
we get an error page, with SQL server written on it so maybe we got a SQLi somewhere
but we quickly see the error page is a fake one, it's an image:
So let's go on port 50000
open up the graphical interface and fire up the manual exploitation like this:
after waiting for a bit we find a subdomain that redirects to a dashboard ->
jeeves is well known to be unsecure and to have a script code section
We instantly see that the script console uses groovy:
now we go and fetch our payload of choice:
Groovy Reverse Shell - https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76
Set up a listener, modify the payload:
then, fire up the payload and get your shell:
Now is the perfect moment to look at our previous documentation:
🥔pageImpersonation and Potato Attackswe instantly see our go to path:
another way of enumerating is ->
copy and paste the whole outpu in a txt file, then
https://github.com/AonCyberLabs/Windows-Exploit-Suggester
./v.py
: This is the command to execute the Python scriptwindows-exploit-suggester.py
. The./
prefix specifies the current directory where the script is located.--database 2020-04-17-mssb.xls
: This option specifies the database file to be used by the script. The database file, named2020-04-17-mssb.xls
, likely contains information about known Microsoft security bulletins and associated vulnerabilities.--systeminfo systeminfo.txt
: This option specifies the system information file to be used by the script. The file namedsysteminfo.txt
likely contains detailed information about the target Windows system, such as operating system version, installed patches, and installed software.
If ran correctly, we'll get hot potato attacks, juicy potato etc
We could also use metasploit:
then paste this payload in your already existing session:
and back on your msfconsole you just have to type in the command:
then to continue, you could enumerate:
put that aside with the background command and put this payload:
and if you did everything correctly and you run the payload, you'll get a shell, now
now let's follow in cmd:
And when we go on administrator desktop we find no root flag?
Alternate Data Streams - https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/
what we learn in this article is that there are primary data streams and alternate
Primary Data Streams:
Primary data streams are the main data associated with a file. When you create or modify a file in Windows, you're working with its primary data stream.
Every file in NTFS has at least one primary data stream, which contains the file's main content.
Primary data streams are typically what you interact with when you open, read, write, or execute a file. They contain the file's actual data, such as text, executable code, images, etc.
Files with only primary data streams are considered "regular" files in Windows.
Alternate Data Streams (ADS):
Alternate data streams are additional streams of data that can be associated with a file. They are not typically visible through regular file system navigation tools like File Explorer.
An alternate data stream is a named stream of data that is attached to a file's primary data stream. Each alternate data stream is associated with a specific name, allowing multiple streams to exist within a single file.
Alternate data streams can be used for various purposes, such as storing metadata, file attributes, or additional content related to the main file.
While alternate data streams are not commonly used in everyday file operations, they can be leveraged by attackers for hiding malicious content or data within seemingly innocent files.
So on the Desktop we see a hm.txt file
to view the contents of the file we can type more < hm.txt:root.txt
Very good writeup: https://thecyberjedi.com/jeeves/
Last updated