You’ll quickly see that almost all of the links are dead, except for the ‘Search’ button, which brings us to an ‘error.html’ page. Once you’re done reminiscing, let’s start clicking around and exploring this page.
For those of you who are too young to recognize, this was the landing page of the popular search engine ‘’, commonly used in the late 90’s and early 2000’s. If you don’t know by know, I tend to gravitate towards web services first, so I’m going to start by poking at port 80 first: An IIS 10 service running on the default port 80, SMB open on the usual 445, and an interesting ‘Jetty’ web service running on port 50000. Let’s see what our initial Nmap scan brings up for us: GOAL: Obtain the user.txt and root.txt flags located within the target filesystem.As the final step, we’ll take this hash and utilize a ‘Pass-the-hash’ attack with PsExec. We’ll obtain initial access by exploiting an exposed Jenkins server that is insecurely configured, and escalate our privileges by cracking a password-protected Keepass Database file to obtain an Administrator password hash. Welcome back everyone! Today I’ll be documenting my process through the retired Hack the Box machine, ‘Jeeves’.
0 kommentar(er)
