# Jeeves

## Gaining Access

Nmap scan:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-8229d07f6047dd0fd2e1fbba7b4c43a2f2ff6236%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Running a detailed scan reveals that Jetty is running on port 50000.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-1c32ca5bae934a8bc2e42ccc08ab2fd13018ff87%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Early enumeration reveals that port 80 has nothing of interest, and SMB does not respond to null credentials so we can't do anything. That just leaves port 50000 for possible exploits.

### Jenkins

Running a `gobuster` on the web application on port 50000 reveals a `/askjeeves` endpoint.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-a12ab50fdb32a75b67de8d315583214b5ef231c0%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

When visiting the endpoint, we see a Jenkins instance running.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-98fa6de1c51e5ed5beecfae6a22575dc0e4f8fc9%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

With Jenkins, we can make use of the script console to run a malicious script. This can be used to give us a reverse shell.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-f847f3a14745b1274ac6b08c1c3e654daa1d5c45%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### Keepass Credentials

Within the Documents folder for the user, we can find a kdbx file.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-18722854263d388c5ffbf11513f5660cf63a937a%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

The password for this can be cracked rather easily.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-6c074b4b8b8ced384a8d0cc9817ccd8d982f4a71%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Afterwards, we can use `kp-cli` to view the passwords stored within this database.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-eecafb70962d79ff79bb25f3ec55c08582225296%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Reading the Backup stuff entry, we can find an NTLM hash.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-aa2bb6e49032c5572c8f3cdc9d281f9285232e3b%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

There were also other passwords that were found by viewing the DC Recovery PW.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-5331a3de6d77bc61042a4ad87fbf5e94ce05bacf%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Using the first NTLM hash we found, we can Pass The Hash to gain a shell as the administrator through `pth-winexe`.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-ab116deda495aad3df920498b7b41ff6ee03b18b%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

### Hidden Flag

When trying to capture the root flag, this is what we see:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-8a3d7517d4639438f9efad4447388c949ade3f6d%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

The hint to look deeper indicates that we should look within the Windows Data Stream. In short, Windows Data Stream is an alternate place for us to store bytes of data that aren't otherwise viewable via the conventional methods.

{% embed url="<https://owasp.org/www-community/attacks/Windows_alternate_data_stream>" %}

In short, there are alternate methods of storing data within these alternate data streams which can be used to hide files. We can view the flag by accessing these streams:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-ee65dab81c6ec8682b2159a49c59e4984101a15a%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

We can see that the alternate stream has 34 bytes of data that are hidden within it. We can redirect the file contents to another folder and read the flag.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-205a3b6862203f2faf34201b6dbb8785f37a4ec5%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/medium/jeeves.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.