Alfred THM
TryHackMe Machine
Last updated
TryHackMe Machine
Last updated
IP
Initial Nmap scan
-sV: Version detection on the open ports it find (finding services running on the machine)
-sC: Enables the use of Nmaps NSE (Nmap Scripting Engine) scripts with the default set of scripts
-A: Essentially a shorthand to tell Nmap to find services (-sV), script scanning (-sC), OS detection and traceroute
-oA
Looks like we have three ports open
80: HTTP
3389: RDP
8080: HTTP
when we navigate to the web page, it seems to be static with no functionality except for remembering the once-great batman.
We do find an email address
and maybe a possible username
We check the page Source but found nothing interesting
Let's try and find some hidden directories
we can use feroxbuster
Nothing of great interest was found
When we navigate to the web page we do find Jenkins.
But wait what is jenkins?
Jenkins is an open-source automation server used for continuous integration and continuous delivery (CI/CD) of software projects, written in Java and provides a web-based user interface to manage and configure various automation tasks in software development and its default creds are admin: admin
woohoo, we are in!
Okay doing a quick Google search there is a way to establish a reverse shell through Jenkins Script console so to get there “Manage Jenkins” → “Script Console”
what’s interesting about the script console is uses Groovy script in the context of Jenkins
Groovy is the scripting language used to write scripts for Jenkins Pipelines and other automation tasks. Jenkins Pipelines is a suite of plugins that support building continuous delivery pipelines using code written in Groovy, but for us its a way to talk to the backend server and establish a shell to do so
We are going to use the following repo
Within the Nishang repo, we can find "Invoke-PowerShellTcp.ps1"
let's copy it to our working directory
okay we can use the script console to execute PowerShell commands to pick up our Invoke-PowerShellTcp.ps1
run the Invoke-PowerShellTcp.ps1 script with our IP and Port number as parameters
first things first we need to bring up a Python3 server
Set up a netcat listener
Once our server and listener are set let's run the Groovy script
okay we can use the script console to execute PowerShell commands to pick up our Invoke-PowerShellTcp.ps1
run the Invoke-PowerShellTcp.ps1 script with our IP and Port number as parameters
We now have a shell as the user bruce.
First thing first let's get some information about the system we are on
let's find the users on the system
Nothing too interesting here
Let's see if our user 'bruce" has any privileges
This looks interesting
we can use the tool juicypotato to take advantage of the SeimpersonatePrivilege or SeAssignPrimaryTokenPrivilege if enabled on the machine to elevate the local privilege to System,
Normally, these privileges are assigned to service users, admins, and local systems (high-integrity users)
bonus tip: If the machine is running IIS or SQL services, these privileges will be enabled by default
first, we need some a fresh potato
we now have the CLSID
Third, we need to generate a reverse shell, we will use msfvenom for this
fourth lets set up a netcat listener to catch the reverse shell
Now that we have our rev.exe (reverse shell) and our fresh potato (JuicyPotato.exe) lets transfer them onto the target system
Set up a Python3 server
from our target machine
Now we should have all the files we need to establish a reverse shell as NT AUTHORITY\SYSTEM
Performing juicypotato attack
when we look back at our netcat listener
We now have a shell as nt authority\system
if we refer to and
second we need to find the right CLSID for our system, remember when we checked the system info we are currently on a Windows 7 machine, we can navigate to
