Alfred Walkthrough - OSCP Preparation

CTF Walkthroughs
, , ,
1

Alfred Walkthrough - OSCP Preparation
Alfred Walkthrough - OSCP Preparation1280×720 30.9 KB

Reconnaissance

As always, the first step consists of the reconnaissance phase as port scanning.

Ports Scanning

During this step, we’re gonna identify the target to see what we have behind the IP Address.

nmap -sV -sC -p0-65535 -oA nmap 10.10.147.92 -Pn -T5

image

80/tcp   open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title (text/html).
8080/tcp open  http    Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Enumerating Port 80

If we browser URL:80 we’ll get this!

image
image837×450 51.2 KB

There’s an email that hints towards a domain name alfred@wayneenterprises.com let’s run gobuster to see if there’s any files or directories hidden.

Gobuster

gobuster -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://10.10.147.92/ -s '200,301,403' 2>/dev/null

Enumerating Port 8080

Nmap result revels there’s Jetty 9.4 Installed.

image

8080/tcp open http Jetty 9.4.z-SNAPSHOT

image
image1090×708 25.6 KB

The default credential for Jenkins is admin:admin

image
image1916×657 65 KB

Searchsploit

Method #1 - Getting Reverse Shell Through Metasploit

I searched for searchsploit Jenkins and found this,

image
image1858×778 208 KB

image
image1591×451 116 KB 

exploit/multi/http/jenkins_script_console

image
image1744×777 110 KB

And we got the shell!

image
image996×283 41.8 KB

Method #2 - Getting Reverse Shell Manually

Login to Jenkins using admin:admin credentials.

image
image1909×700 57.5 KB

Click on project.

image
image914×563 52.6 KB

Let’s configure it!

If we scroll down there’s 'Execute Windows bash command' from where we can get our reverse shell.

image
image1423×861 49.1 KB

Click Apply and Save!

image
image1528×269 32.2 KB

image
image858×110 17.3 KB

image

Privilege Escalation

Now, let’s start with Windows privilege escalation.

Windows User Impersonation

whoami /all
whoami /priv

image
image829×639 115 KB

SeImpersonatePrivilege Impersonate a client after authentication Enabled

We’ll use incognito to escalate privileges.

Incognito v2.0 actually implements the exploitation of one of these cases already. If an account is not an Administrative user but has been granted SeDebugPrivilege and SeImpersonatePrivilege then Incognito v2.0 will automatically enable these privileges and use them to gain access to all tokens and so effectively escalate the SYSTEM. I don’t expect it will be particularly common to find this situation in practice but it may prove useful.

Security Implications of Windows Access Tokens – A Penetration Tester’s Guide

Let’s impersonate some tokens!

load incognito
list_tokens -g

image
image943×861 106 KB 

impersonate_token "BUILTIN\Administrators"

image
image784×114 22 KB

image
image1427×991 289 KB

We have to migrate to another process to properly use our reverse shell.

image