TryHackme: Alfred — Writeup
Step by step without metasploit
Hi,
This is my first post after a long time and the first in English
Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.
Initical Access
Scanning
First, runing nmap to check port and services
nmap -sV -A -Pn 5000 10.10.15.36 -T5
I got tree ports 80,8080,3389
Just check http://10.10.15.36, the following image appears,
Based on the title of the room, directly accessed http://10.10.15.36:8080 honestly don’t try brute force attack, my first attempt was alfred as user, but then try admin and password 123456, lastly the famous admin / adminand here we go!
Jenkins Control panel
Trymehack provides you with a couple of help to find the execution of the code, first try with ipcofing then build an check console output.
I started a web service with python, to transfer files, executing commands from the jenkins console
I used certutil to download netcat, it was copied to the temporary directory
Successful transfer!
Run the following command to get a reverse shell
Access gained!
check user.txt
Privilege Escalation
This room is focused on token impersonation, I check a Privilege SeImpersonatePrivilege
The SeImpersonatePrivilege is described on MSDN as “User Right: Impersonatea client after authentication.”
I use incognito to escalate privileges
Incognito v2.0 actually implements exploitation of one of these cases already. If an account is not an Administrative user but has been granted SeDebugPrivilege and SeImpersonatePrivilege then Incognito v2.0 will automatically enable these privileges and use them to gain access to all tokens and so effectively escalate the SYSTEM. I don’t expect it will be particularly common to find this situation in practice but it may prove useful.https://labs.f-secure.com/archive/incognito-v2-0-released/
you cand download from :
I download incognito from my kali machine,
run incognito.exe list tokens -u
I create a user
The created user was added to the local administrators group, thanks Incognitov2
User k1mura is now local administrator
Microsoft terminal service is enabled, login with k1mura and voila, I got root.txt
We have access to root.txt
Thanks!