Enumeration

Nmap

Initial Nmap enumeration revealed open HTTP, SMB and Jetty (50000) Port.

00 - nmap

Directory Brute Force

Applied directory brute force which revealed Jenkins application.

01 - brute

Exploitation

I could run Jenkins scripts without logging in. So I wrote a groovy reverse shell and got the shell.

02 - jenkins script console

03 - got a shell

Then simply got the user flag.

04 - got the user

Privilege Escalation

Initially I checked current user’s privileges. It had SeImpersonatePrivilege, so I thought I could run JuicyPatato. But it did not work.

05 - privilege

Setting Up File Share Server

So I set up an SMB File Share server to share files from windows to linux or vice versa.

06 - File Transfer

06 - File Transfer2

winPEAS

Then transfered winPEAS and ran it. It revealed ‘CEH.kdbx’ file was available.

07 - winPEAS

Cracking KDBX

So using ‘keepass2john’ and then ‘john’ with ‘rockyou.txt’ wordlist, I was able to crack the master password.

08 - kdbx

Opening KDBX

Then using ‘keepass2’, I opened the KDBX and got some passwords.

09 - 0 got some passwords

09 - got some passwords

Getting Shell

All of them instead of Backup Stuff was cleartext passwords. I tried all of them against Administrator user and none of them worked. Backup Stuff password was NTLM hash so I though maybe it is Administrator’s hash. I ran ‘psexec.py’ with hashes and got the shell.

10 - got user

Getting Flag

Initially there was no flag to read. But there was an ‘hm.txt’ file that says “Look Deeper”.

11 - trying

After some research, I learned about alternate data streams. This post and this github page explains what is it and how can it be used. So using these informations, I read the alternate stream and got the root flag.

12 - altrenate flag

Pwned

The machine was fully compromised.

pwned

<
Previous Post
Cascade - Hack The Box
>
Next Post
Flight - Hack The Box